Construction and uses of variable-input-length tweakable ciphers

ABSTRACT

Innovations in the construction and use of variable-input-length tweakable ciphers (“VILTCs”). In some cases, a VILTC uses an initialization vector that is protected from exposure outside an encryption/decryption system in order to provide enhanced security with efficient performance. For example, a system for encryption and/or decryption includes two fixed-input-length tweakable block ciphers (“FIL TBCs”) and a VILTC. The first FIL TBC is adapted to produce a fixed-length initialization vector. The VILTC is adapted to produce a variable-length output string using the fixed-length initialization vector as a tweak. The second FIL TBC is adapted to produce a fixed-length output string. In this way, the first FIL TBC and the second FIL TBC protect the fixed-length initialization vector from exposure outside the system. In other cases, a VILTC is used for a reliable and efficient implementation of authenticated encryption/decryption with associated data.

RELATED APPLICATION INFORMATION

This application claims the benefit of U.S. Provisional Patent Application No. 61/910,292, filed Nov. 29, 2013, the disclosure of which is hereby incorporated by reference.

ACKNOWLEDGMENT OF GOVERNMENT SUPPORT

This invention was made with government support under CNS-0845610 and CNS-1319061 awarded by National Science Foundation. The government has certain rights in the invention.

FIELD

Construction and use of variable-input-length tweakable ciphers with protected initialization vectors.

BACKGROUND

In general, encryption is the process of encoding information so that only authorized parties, and not third parties, can read the information. In an encryption scheme, the information (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable ciphertext. An authorized party is able to decode the ciphertext using a decryption algorithm. In computer systems, encryption algorithms encrypt binary values (that is, bits) of information.

A block cipher is an encryption algorithm operating on a fixed-length block of bits. An n-bit block cipher encrypts a block of n bits, producing n bits of ciphertext. Block ciphers are widely used, and there are many efficient implementations of block ciphers. A block cipher uses an encryption key. The security of a block cipher is understood to degrade as the number of blocks encrypted under a particular key increases. While changing the key to a block cipher is not difficult in itself, in several important applications the frequent generation and distribution of new block cipher keys is infeasible.

A tweakable block cipher (“TBC”) is a generalization of a block cipher. An n-character TBC {tilde over (E)} is a family of permutations over Σ^(n), where each permutation in the TBC is associated with a key and a tweak. Often, Σ={0,1}, in which case the TBC can be termed an n-bit TBC {tilde over (E)}.) For an input string, the key and tweak together specify the permutation of the input string that is produced by the TBC. In typical usage, the key is secret and fixed across many calls to the TBC, while the tweak is not secret and may change from call to call. This supports variability in the behavior of the TBC by changing values of the tweak, even though the key is fixed. If changing values of the tweak is sufficiently simple (compared to the process of key setup and update), using a TBC can be an efficient way to expand the volume of data that is securely encrypted with a block cipher. Using TBCs can simplify designing and analyzing algorithms (e.g., algorithms that can safely handle large volumes of data) A TBC may be useful when the volume of data to be encrypted is very large, compared to the available key material, and changing the block cipher key is not desirable or feasible. Even in applications in which the volume of data to be processed is not overly large, the tweak input can empower useful features in practical applications, such as using a TBC with a fixed key across several cryptographic uses, or across multiple users.

A tweakable cipher, sometimes called a tweakable enciphering scheme or large-block cipher, is an extension of a TBC to the variable-input-length (“VIL”) setting. Generally, a VIL tweakable cipher (“VILTC”) is a family of length-preserving permutations, producing ciphertext output with the same length as the plaintext input. One common approach to implementing VILTCs has been to construct a VILTC primitive from an underlying n-bit block cipher, sometimes in conjunction with one or more hashing operations. VILTCs constructed according to this approach may not provide sufficient security guarantees for some important use case scenarios, in particular, when n is small (e.g., 64), or when the amount of data to be processed by a single key is very large.

SUMMARY

In summary, the detailed description presents innovations in the construction and use of variable-input-length tweakable ciphers (“VILTCs”). In some cases, these VILTCs use an initialization vector that is protected from exposure outside an encryption/decryption system in order to provide enhanced security with efficient performance. In other cases, a VILTC is used for a reliable and efficient implementation of authenticated encryption/decryption with associated data.

According to one aspect of the innovations described herein, a system for encryption and/or decryption includes two fixed-input-length tweakable block ciphers (“FIL TBCs”) and a VILTC. Typically, the two FIL TBCs are provided through two calls to a single FIL TBC component. Alternatively, however, the two FIL TBCs can be provided with two different FIL TBCs.

The first FIL TBC (e.g., a first call to a given FIL TBC component, or a first different FIL TBC component) is adapted to produce a fixed-length initialization vector. For example, in a first call, the given FIL TBC component accepts a fixed-length input string, as first input for the given FIL TBC component, and a combination of a tweak for the system and a variable-length input string, as first tweak for the given FIL TBC component. The VILTC is adapted to produce a variable-length output string using the fixed-length initialization vector as a tweak. The second FIL TBC (e.g., a second call to the given FIL TBC component, or a second different FIL TBC component) is adapted to produce a fixed-length output string. For example, in a second call, the given FIL TBC component accepts the fixed-length initialization vector, as second input for the given FIL TBC component, and a combination of the system tweak and the variable-length output string, as second tweak for the given FIL TBC component. The first FIL TBC and the second FIL TBC protect the fixed-length initialization vector from exposure outside the system. The system tweak can be based on an environmental feature of the system.

According to another aspect of the innovations described herein, a system for encryption and/or decryption includes two N-character TBCs and a VILTC. The first N-character TBC (e.g., a first call to a given N-character TBC component, or a first different N-character TBC component) is adapted to produce an N-character initialization vector. The VILTC is adapted to produce a variable-length output string using the N-character initialization vector as a tweak. The second N-character TBC (e.g., a second call to the given N-character TBC component, or second different N-character TBC component) is adapted to produce an N-character output string. In this way, the first N-character TBC and the second N-character TBC protect the N-character initialization vector from exposure outside the system.

The system can include multiple buffers. For example, a first buffer stores an N-character input string and a variable-length input string, and a second buffer stores the N-character output string and the variable-length output string. Characters of the N-character input string, the variable-length input string, the N-character output string, and the variable-length output string are selected from a pre-determined, finite set of symbols (e.g., numbers 0 . . . 9, letters A . . . Z and numbers 0 . . . 9). The system's inputs also include one or more keys and a tweak value. The first N-character TBC, the VILTC and the second N-character TBC can be constructed from randomly generated permutation look-up tables. More generally, the first N-character TBC, the second N-character TBC, and the VILTC can be implemented using special-purpose hardware or implemented using software that executes on general-purpose hardware.

In example implementations, the first N-character TBC is adapted to produce the N-character initialization vector using an N-character input string, as input for the first N-character TBC, and a combination of a tweak for the system and a variable-length input string, as tweak for the first N-character TBC. The VILTC is adapted to produce the variable-length output string using the N-bit initialization vector, as tweak for the VILTC, and the variable-length input string, as input for the VILTC. The second N-character TBC is adapted to produce the N-character output string using the N-character initialization vector, as input for the second N-character TBC, and a combination of the tweak for the system and the variable-length output string, as tweak for the second N-character TBC.

According to another aspect of the innovations described herein, a system for encryption and/or decryption includes two N-bit tweakable block ciphers (“TBCs”) and a VILTC. The first N-bit TBC (e.g., a first call to a given N-bit TBC component, or first different N-bit TBC component) is adapted to produce an N-bit initialization vector. The VILTC is adapted to produce a variable-length output string using the N-bit initialization vector as a tweak. The second N-bit TBC (e.g., a second call to the given N-bit TBC component, or a second different N-bit TBC component) is adapted to produce an N-bit output string. In this way, the first N-bit TBC and the second N-bit TBC protect the N-bit initialization vector from exposure outside the system.

The system can include multiple buffers. For example, a first buffer stores an N-bit input string and a variable-length input string, and a second buffer stores the N-bit output string and the variable-length output string. The system's inputs also include one or more keys and a tweak value. The system can also include a controller adapted to adjust N to trade off security and implementation efficiency. A smaller value of N provides worse security but simplifies efficient implementation subject to security constraints. On the other hand, a larger value of N provides better security but complicates efficient implementation subject to the security constraints.

In example implementations, the first N-bit TBC is adapted to produce the N-bit initialization vector using an N-bit input string, as input for the first N-bit TBC, and a combination of a tweak for the system and a variable-length input string, as tweak for the first N-bit TBC. The VILTC is adapted to produce the variable-length output string using the N-bit initialization vector, as tweak for the VILTC, and the variable-length input string, as input for the VILTC. The second N-bit TBC is adapted to produce the N-bit output string using the N-bit initialization vector, as input for the second N-bit TBC, and a combination of the tweak for the system and the variable-length output string, as tweak for the second N-bit TBC. For example, given a tweak T and an B-bit input X (with B>N), the first N-bits of the input X (X_(L)) serve as the input to the first N-bit TBC (e.g., call to N-bit TBC), and the combination of the remaining (B-N) input bits (X_(R)) and T serve as the tweak for the first N-bit TBC. The N-bit output of this TBC serve as the initialization vector for the VILTC call, and X_(R) serves as the input to the VILTC call, producing a (B-N)-bit output (Y_(R)). Finally, the combination of Y_(R) and T serve as the tweak to a second N-bit TBC (e.g., call to N-bit TBC), which takes the initialization vector as input, and produces an N-bit output (Y_(L)). The concatenation of Y_(L) with Y_(R) is the resulting output. The length of this concatenation is exactly B-bits, so that the overall processing is length-preserving from input to output.

The first N-bit TBC and the second N-bit TBC can have an identical structure or different structures. As noted, the first N-bit TBC and second N-bit TBC can be provided through two calls to the same N-bit TBC component, with different inputs and outputs. In one implementation, at least one of the first N-bit TBC and the second N-bit TBC is an LRW2 TBC construction (defined below), and the VILTC is an iterated LRW2 TBC construction (defined below). In another implementation, at least one of the first N-bit TBC and the second N-bit TBC is a domain-extended CLRW2 construction (defined below), and the VILTC is an iterated CLRW2 construction (defined below). More generally, the first N-bit TBC, the second N-bit TBC, and the VILTC can be implemented using special-purpose hardware or implemented using software that executes on general-purpose hardware.

According to another aspect of the innovations described herein, a system such as an encryption system or decryption system processes a fixed-length input string, a tweak for the system, and a variable-length input string to produce a fixed-length output string and a variable-length output string. The tweak for the system can be set based on an environmental feature. As part of the processing, the system produces a fixed-length initialization vector, produces the variable-length output string with a VILTC using the fixed-length initialization vector as a tweak, and then obscures the fixed-length initialization vector. The system outputs the fixed-length output string and the variable-length output string.

According to another aspect of the innovations described herein, a system such as an encryption system or decryption system processes an N-character input string, a tweak for the system, and a variable-length input string to produce an N-character output string and a variable-length output string. As part of the processing, the system produces an N-character initialization vector, produces the variable-length output string with a VILTC using the N-character initialization vector as a tweak, and then obscures the N-character initialization vector. The system outputs the N-character output string and the variable-length output string.

The processing can be part of, for example, (1) format-preserving encryption, (2) format-preserving decryption, or (3) some other encryption or decryption activity. For encryption, the N-character input string and the variable-length input string are plaintext, and the N-character output string and the variable-length output string are ciphertext. For decryption, the N-character input string and the variable-length input string are ciphertext, and the N-character output string and the variable-length output string are plaintext.

In example implementations, the N-character initialization vector is produced with a first FIL TBC and is obscured by a second FIL TBC, which produces the N-character output string. The N-character initialization vector is produced with the first FIL TBC based on the N-character input string, as input for the first FIL TBC, and a combination of a tweak for the system and the variable-length input string, as tweak for the first FIL TBC. The variable-length output string is produced with the VILTC based on the N-character initialization vector, as tweak for the VILTC, and the variable-length input string, as input for the VILTC. The N-character output string is produced with the second FIL TBC based on the N-character initialization vector, as input for the second FIL TBC, and a combination of the tweak for the system and the variable-length output string, as tweak for the second FIL TBC. The system tweak can be set based on an environmental feature.

According to another aspect of the innovations described herein, a system such as an encryption system or decryption system processes an N-bit input string, a tweak for the system, and a variable-length input string to produce an N-bit output string and a variable-length output string. As part of the processing, the system produces an N-bit initialization vector, produces the variable-length output string with a VILTC using the N-bit initialization vector as a tweak, and then obscures the N-bit initialization vector. The system outputs the N-bit output string and the variable-length output string.

The processing can be part of, for example, (1) full-disk encryption, (2) full-disk decryption, (3) authenticated encryption with associated data, (4) authenticated decryption with associated data or (5) some other encryption or decryption activity. For encryption, the N-bit input string and the variable-length input string are plaintext, and the N-bit output string and the variable-length output string are ciphertext. For decryption, the N-bit input string and the variable-length input string are ciphertext, and the N-bit output string and the variable-length output string are plaintext.

In example implementations, the N-bit initialization vector is produced with a first N-bit TBC and is obscured by a second N-bit TBC, which produces the N-bit output string. The N-bit initialization vector is produced with the first N-bit TBC based on the N-bit input string, as input for the first N-bit TBC, and a combination of a tweak for the system and the variable-length input string, as tweak for the first N-bit TBC. The variable-length output string is produced with the VILTC based on the N-bit initialization vector, as tweak for the VILTC, and the variable-length input string, as input for the VILTC. The N-bit output string is produced with the second N-bit TBC based on the N-bit initialization vector, as input for the second N-bit TBC, and a combination of the tweak for the system and the variable-length output string, as tweak for the second N-bit TBC. The system tweak can be set based on an environmental feature.

According to another aspect of the innovations described herein, an encryption system receives a header and a message. The encryption system processes the message using a VILTC to provide authenticated encryption with associated data. A tweak for the VILTC is based at least in part on the header. The encryption system outputs the header and the encrypted message.

In example implementations, when it processes the message, the encryption system determines a modified header using the header and reconstruction information, determines a modified message using the message and the modified header, and encrypts the modified message using the VILTC with the modified header as the tweak for the VILTC. The encryption system outputs the reconstruction information.

A corresponding decryption system receives a header and an encrypted message (along with any reconstruction information). The decryption system processes the encrypted message using a VILTC to provide authenticated decryption with associated data. A tweak for the VILTC is based at least in part on the header. The decryption system outputs the message.

In example implementations, when it processes the encrypted message, the decryption system determines a modified header using the header and the reconstruction information, decrypts the encrypted message using the VILTC with the modified header as the tweak for the VILTC, and determines the message using the modified message and the modified header.

Optionally, for an authentication step, the decryption system checks to see if the message is valid. For example, if a pre-determined number of “0” bits have been appended to a message during encryption, then decryption can check for the presence of those bits. If this check fails, then decryption outputs an error. There may be multiple different checks for a message to pass, and the output error(s) may vary depending on which (combination of) checks fail. (This is the “authenticated” part of “authenticated encryption”—if an attacker tampers with an encrypted message, it will likely no longer be valid once decrypted.)

The innovations for constructing and using VILTCs can be implemented as part of a method, as part of a computing system adapted to perform the method or as part of tangible computer-readable media storing computer-executable instructions for causing a computing system to perform the method. The various innovations can be used in combination or separately.

The foregoing and other objects, features, and advantages of the invention will become more apparent from the following detailed description, which proceeds with reference to the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a generalized computing system in which some embodiments described herein can be implemented.

FIG. 2 is a diagram illustrating an example architecture for construction and use of VILTCs.

FIGS. 3 a-3 c are diagrams illustrating generalized constructions of a VILTC with a protected initialization vector.

FIG. 4 is a flowchart illustrating a generalized technique for using a VILTC with a protected initialization vector.

FIGS. 5 a-5 c are diagrams illustrating a first example implementation of VILTC with a protected initialization vector.

FIGS. 6 a-6 c are diagrams illustrating a second example implementation of VILTC with a protected initialization vector.

FIGS. 7 and 8 are flowcharts illustrating generalized techniques for authenticated encryption and decryption, respectively, with associated data using a VILTC.

FIGS. 9-11 are pseudocode listings illustrating aspects of theoretical justifications for some of the innovations described herein.

DETAILED DESCRIPTION

The detailed description presents innovations in the construction and use of variable-input-length tweakable ciphers (“VILTCs”). In some cases, these VILTCs use an initialization vector that is protected from exposure outside an encryption/decryption system in order to provide enhanced security with efficient performance. In other cases, a VILTC is used for a reliable and efficient implementation of authenticated encryption/decryption with associated data.

According to one aspect of the innovations described herein, a VILTC uses a protected initialization vector (“IV”). In some examples, constructing a VILTC with a protected IV offers a simple, modular approach for building a length-preserving, tweakable cipher that (1) may take plaintext inputs of essentially any length, (2) achieves the strongest possible security property for this type of primitive (that of being a strong, tweakable-pseudorandom permutation (“STPRP”)), and (3) can be implemented with n-bit primitives so as to make the VILTC with protected IV STPRP-secure well beyond the “birthday-bound” of 2^(n/2) invocations of the VILTC with protected IV. (The term birthday-bound refers to a level of security against attacks. For a VILTC construction with birthday-bound security, security guarantees are dramatically weakened by the time 2^(n/2) bits have been enciphered. A VILTC construction with beyond-birthday-bound security may remain secure long after 2^(n/2) bits have been enciphered.) By some measures of efficiency, beyond-birthday secure instantiations of a VILTC with protected IV are competitive with existing constructions that are only secure to the birthday bound.

A VILTC with protected IV has many cryptographic applications. In particular, in large-scale data-at-rest scenarios, where the amount of data to be protected by a single key is typically greater than in scenarios where keys can be easily renegotiated, a VILTC with protected IV can efficiently provide a suitable level of security. For example, a VILTC with protected IV can be used for full-disk encryption (“FDE”) and decryption, format-preserving encryption (“FPE”) and decryption, or authenticated encryption with associated data (“AEAD”) and decryption. Alternatively, a VILTC with protected IV can be used for another encryption/decryption application.

According to another aspect of the innovations described herein, a tweakable cipher is used for AEAD and corresponding decryption. A VILTC used for AEAD can be instantiated using a protected IV construction or some other VILTC construction. Using a tweakable cipher for AEAD can provide many advantages. For example, using a tweakable cipher for AEAD can help securely handle the reporting of multiple types of decryption errors. It can also eliminate ciphertext expansion by exploiting any existing nonces, randomness, or redundancies appearing in either the plaintext or associated data inputs. Using a VILTC with a protected IV (with appropriate setting of its parameters) enables AEAD schemes with beyond birthday-bound security.

Various alternatives to the examples described herein are possible. Various aspects of the disclosed technology can be used in combination or separately. Different embodiments use one or more of the described innovations. Some of the innovations described herein address one or more of the problems noted in the background. Typically, a given technique/tool does not solve all such problems.

I. Example Computing Systems

FIG. 1 illustrates a generalized example of a suitable computing system (100) in which several of the described innovations may be implemented. The computing system (100) is not intended to suggest any limitation as to scope of use or functionality, as the innovations may be implemented in diverse general-purpose or special-purpose computing systems.

With reference to FIG. 1, the computing system (100) includes one or more processing units (110, 115) and memory (120, 125). The processing units (110, 115) execute computer-executable instructions. A processing unit can be a general-purpose central processing unit (“CPU”), processor in an application-specific integrated circuit (“ASIC”) or any other type of processor. In a multi-processing system, multiple processing units execute computer-executable instructions to increase processing power. For example, FIG. 1 shows a central processing unit (110) as well as a graphics processing unit or co-processing unit (115). The tangible memory (120, 125) may be volatile memory (e.g., registers, cache, RAM), non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or some combination of the two, accessible by the processing unit(s). The memory (120, 125) stores software (180) implementing one or more innovations for constructing or using a VILTC, in the form of computer-executable instructions suitable for execution by the processing unit(s).

A computing system may have additional features. For example, the computing system (100) includes storage (140), one or more input devices (150), one or more output devices (160), and one or more communication connections (170). An interconnection mechanism (not shown) such as a bus, controller, or network interconnects the components of the computing system (100). Typically, operating system software (not shown) provides an operating environment for other software executing in the computing system (100), and coordinates activities of the components of the computing system (100).

The tangible storage (140) (also called computer-readable storage) may be removable or non-removable, and includes magnetic disks, magnetic tapes or cassettes, CD-ROMs, DVDs, or any other medium which can be used to store information and which can be accessed within the computing system (100). The storage (140) stores instructions for the software (180) implementing one or more innovations for constructing or using a VILTC.

The input device(s) (150) may be a touch input device such as a keyboard, mouse, pen, or trackball, a voice input device, touchscreen for receiving gesture input, a scanning device, or another device that provides input to the computing system (100). The output device(s) (160) may be a display (e.g., touchscreen), printer, speaker, CD-writer, or another device that provides output from the computing system (100).

The communication connection(s) (170) enable communication over a communication medium to another computing entity. The communication medium conveys information such as computer-executable instructions, audio or video input or output, or other data in a modulated data signal. A modulated data signal is a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media can use an electrical, optical, RF, or other carrier.

The innovations can be described in the general context of computer-readable media. Computer-readable media are any available tangible media that can be accessed within a computing environment. By way of example, and not limitation, with the computing system (100), computer-readable media include memory (120, 125), storage (140), and combinations of any of the above.

The innovations can be described in the general context of computer-executable instructions (also called machine-readable instructions), such as those included in program modules (also called computer program product), being executed in a computing system on a target real or virtual processor. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Computer-executable instructions for program modules may be executed within a local or distributed computing system.

The terms “system” and “device” are used interchangeably herein. Unless the context clearly indicates otherwise, neither term implies any limitation on a type of computing system or computing device. In general, a computing system or computing device can be local or distributed, and can include any combination of special-purpose hardware and/or general-purpose hardware with software implementing the functionality described herein.

The disclosed methods can also be implemented using specialized computing hardware configured to perform any of the disclosed methods. For example, the disclosed methods can be implemented by an integrated circuit specially designed or configured to implement any of the disclosed methods (e.g., an ASIC such as an ASIC digital signal process unit, a graphics processing unit, or a programmable logic device such as a field programmable gate array).

For the sake of presentation, the detailed description uses terms like “determine,” “provide” and “use” to describe computer operations in a computing system. These terms are high-level abstractions for operations performed by a computer, and should not be confused with acts performed by a human being. The actual computer operations corresponding to these terms vary depending on implementation.

II. Example Architectures for Construction or Use of VILTCs

FIG. 2 shows an example architecture (200) for construction and use of VILTCs. In particular, the architecture includes an encryption/decryption service (222) that uses VILTCs.

In FIG. 2, the applications (210, 212) represent software that interacts with the operating system (220). The applications (210, 212) can include a database transaction processing or analysis application, a Web browser, a word processor or other productivity software (with file explorer functionality), a message service or any other type of application that uses encryption or decryption. Although FIG. 2 shows two applications, the architecture (200) can include more or fewer applications.

The applications (210, 212) interact with the operating system (220) to use the encryption/decryption service (222). When requested by one of the applications (210, 212) or the operating system (220), the encryption/decryption service (222) can encrypt data that is stored in the disk storage (230) or main memory (240) (e.g., for a database). Conversely, the encryption/decryption service (222) can decrypt the data that is requested by one of the applications (210, 212) or the operating system (220). For example, for full-disk encryption (“FDE”), the encryption/decryption service (222) transparently encrypts data stored in the disk storage (230) and decrypts data returned from the disk storage (230). Or, for format-preserving encryption (“FPE”), the encryption/decryption service (222) encrypts data stored in disk storage (230) or main memory (240) so that it has the same format as unencrypted data. For example, data such as credit card numbers are encrypted such that the encrypted values are still formatted as credit card numbers. As another example, for authenticated encryption with associated data (“AEAD”), the encryption/decryption service (222) encrypts messages having headers for one of the applications (210, 212), and decrypts encrypted messages for one of applications (210, 212).

III. Notation and Principles

This section explains the notation used in the rest of the detailed description. It also explains principles of operation for certain aspects of the encryption/decryption systems described herein.

In general,

={0,1,2, . . . } represents a set of non-negative integers. For n∈

(a number n that is a member of the set

), {0,1}^(n) denotes the set of all n-bit binary strings, and {0,1}* denotes the set of all (finite) binary strings. The symbol ε indicates the empty string.

Suppose the strings s and t are finite binary strings (that is, s, t ∈{0,1}*). The value |s| is the length of s in bits. The value |(s, t)|=|s∥t|, where s∥t denotes the string formed by concatenating the strings s and t. If s ∈{0,1}^(nm), for some m∈

, the expression s₁s₂ . . . s_(m)

s indicates that each s_(i) is defined so that the length |s_(i)|=n, and s=s₁s₂ . . . s_(m). When n is implicit from context, it may be omitted from the notation. If s=b₁b₂ . . . b_(n) is an n-bit string (each b_(i) ∈{0,1}), then the part of the string s[i . . . j]=b_(i)b_(i+1) . . . b_(j), the part of the string s[i . . . ]=s [i . . . n], and the part of the string s[ . . . j]=s[1 . . . j].

The string s⊕t is the bitwise exclusive-or (“XOR”) of the strings s and t. If, for example, |s|<|t|, then s⊕t is the bitwise XOR of s and t[ . . . |s|].

Given R⊂

and n ∈

with n≦min (R), the strings {0,1}^(R)=U_(i∈R){0,1}^(i), and by abuse of notation, {0,1}^(R−n)=U_(i∈R){0,1}^(i−n). Given a finite set X, the expression X

X indicates that the random variable X is sampled uniformly at random from X. Throughout, the distinguished symbol ⊥ is assumed not to be part of any set except {⊥}. Given an integer n known to be in some range,

n

denotes some fixed-length (e.g., 64-bit) encoding of n. For example,

0

can indicate a 64-bit encoding of the value 0.

The function H:

×

→

⊂{0,1}*. Writing its first argument as a subscripted key, the function H is ∈-almost universal (∈−AU)) if, for all distinct values of, Y∈

, the probability Pr[H_(K)(Y)]≦∈ (where the probability is over K

). Similarly, the function H is ∈-almost 2-XOR universal if, for all distinct X, Y∈D and C∈R, the probability Pr[H_(K) (X)⊕H_(K) (Y)=C]≦∈.

An adversary is an algorithm taking zero or more oracles as inputs, which the adversary queries in a black-box manner before returning some output. Adversaries may be random. The notation A^(ƒ)

b denotes the event that an adversary A outputs b after running with oracle ƒ as its input.

Sometimes it will be convenient to give pseudocode descriptions of the oracles with which an adversary can interact, as well as procedures that set up or otherwise relate to such interactions. These descriptions will be referred to as games. A game includes a set of procedures, including a special “Main” procedure that takes an adversary A as input. Pr[G(A)

y] is the probability that the Main procedure of game G outputs y when given an adversary A as input. When no Main procedure is explicitly given, Main(A) simply executes A, providing it with the remaining procedures as oracles (in some order that will be clear from context), and then returns A's output.

is a non-empty set, and the strings

, X⊂{0,1}*. A tweakable cipher is a mapping {tilde over (E)}:

×

×X→X with the property that, for all (K,T)∈

×

, the tweakable cipher {tilde over (E)}(K, T, •) is a permutation on X. The key is typically indicated as a subscript, so that {tilde over (E)}_(K) (T, X)={tilde over (E)}(K, T, X). The tweakable cipher {tilde over (E)}_(K)(T, •) is invertible as shown {tilde over (E)}_(K) ⁻¹(T, •).

indicates the key space,

indicates the tweak space, and X indicates the message space. The tweakable cipher {tilde over (E)} is length preserving if |{tilde over (E)}_(K)(T, X)|=|X|, for all X∈X, T ∈

and K ∈

. Restricting the tweak or message spaces of a tweakable cipher gives rise to other objects. When the message space X={0,1}^(n), for some n>0, then {tilde over (E)} is a tweakable block cipher (“TBC”) with block size n. More generally, an n-character TBC {tilde over (E)} is a family of permutations over the message space X=Σ^(n), where each permutation in the TBC is associated with a key and a tweak. When |

|=1, the tweak is implicit, giving a cipher E:

×X→X, where E_(K)(•) is a (length-preserving) permutation over X, and E_(K) ⁻¹ is its inverse. Finally, when the message space X={0,1}^(n) and |

|=1, the conventional block cipher E:

×{0,1}^(n)→{0,1}^(n).

The value N (upper case) indicates the length of an input string for an N-bit TBC or N-character TBC, or the length of an IV for a VILTC. The N-bit TBC and VILTC can be constructed from n-bit block ciphers, where n (lower case) indicates block size for the block cipher. In sonic examples, N=n. In other examples, N=2n.

Perm(X) denotes the set of all permutations on X. BC (

, X) is the set of all ciphers with key space

and message space X. When X, X′ are sets, Func(X, X′) is the set of all functions ƒ:X→X′. A tweakable cipher {tilde over (E)}:

×

×X→X. The tweakable pseudorandom-permutation (“TPRP”) and strong-TPRP (“STPRP”) advantage measures are:

${{Ad}(A)} = {{\Pr \left\lbrack {K{\text{:}\mspace{14mu} A^{{\overset{\sim}{E}}_{K}{({\cdot {, \cdot}})}}}}\Rightarrow 1 \right\rbrack} - {\Pr \left\lbrack {\Pi \overset{\$}{\leftarrow}{B\; {C\left( {,} \right)}\text{:}\mspace{14mu} A^{\Pi {({\cdot {, \cdot}})}}}}\Rightarrow 1 \right\rbrack}}$ ${{A\; d(A)} = {{\Pr \left\lbrack {K{\text{:}\mspace{14mu} A^{{{\overset{\sim}{E}}_{K}{({\cdot {, \cdot}})}},{{\overset{\sim}{E}}_{K}^{- 1}{({\cdot {, \cdot}})}}}}}\Rightarrow 1 \right\rbrack} - {\Pr \left\lbrack {\Pi \overset{\$}{\leftarrow}{B\; {C\left( {,} \right)}\text{:}\mspace{14mu} A^{{\Pi {({\cdot {, \cdot}})}},{\Pi^{- 1}{({\cdot {, \cdot}})}}}}}\Rightarrow 1 \right\rbrack}}},$

where, in each case, adversary A takes the indicated number of oracles. For both the TPRP and STPRP experiments, the adversary A never repeats a query to an oracle. For the STPRP advantage measure, this also means that if the adversary A queries (T, X) to its leftmost oracle and receives Y in return, then adversary A never queries (T, Y) to its rightmost oracle, and vice versa.

A related measure, the SRND advantage, is defined as:

${{{Ad}(A)} = {{\Pr \left\lbrack {K{\text{:}\mspace{14mu} A^{{{\overset{\sim}{E}}_{K}{({\cdot {, \cdot}})}},{{\overset{\sim}{E}}_{K}^{- 1}{({\cdot {, \cdot}})}}}}}\Rightarrow 1 \right\rbrack} - {\Pr \left\lbrack A^{{\$ {({\cdot {, \cdot}})}},{\$ {({\cdot {, \cdot}})}}}\Rightarrow 1 \right\rbrack}}},$

where the $(•,•) oracle outputs a random string equal in length to its second input: |$(T, X)|=|X| for all T and X Adversaries for the above three advantages are nonce-respecting if the transcript of their oracle queries (T₁, X₁), . . . , (T_(q), X_(q)) does not include T_(i)=T_(j) for any i≠j.

For a cipher E:

×X→X, the pseudorandom permutation (“PRP”) and strong-PRP (“SPRP”) advantage measures are defined as:

Ad(A) = Pr [K:  A^(E_(K)(⋅)) ⇒ 1] − Pr [πPerm():  A^(π(⋅)) ⇒ 1] Ad(A) = Pr [K:  A^(E_(K)(⋅), E_(K)⁻¹(⋅)) ⇒ 1] − Pr [πPerm():  A^(π(⋅), π⁻¹(⋅)) ⇒ 1],

where, in each case, adversary A takes the indicated number of oracles.

Three adversarial resources are tracked: the time complexity t, the number of oracle queries q, and the total length of these queries μ. The time complexity of the adversary A is defined to include the complexity of its enveloping probability experiment (including sampling of keys, oracle computations, etc.), and the parameter t is defined to be the maximum time complexity of the adversary A, taken over both experiments in the advantage measure.

IV. Generalized Constructions and Uses for VILTCs with Protected IVs

FIGS. 3 a-3 c show generalized constructions (300, 301, 302) of a VILTC with a protected initialization vector. The generalized constructions (300, 301, 302) can be used for encryption, in which a fixed-length input string X_(L) and variable-length input string X_(R) of plaintext are converted to a fixed-length output string Y_(L) and variable-length output string Y_(R) of ciphertext. Or, the generalized constructions (300, 301, 302) can be used for decryption, in which a fixed-length input string Y_(L) and variable-length input string Y_(R) of ciphertext are converted to a fixed-length output string X_(L) and variable-length output string X_(R) of plaintext.

In the construction (300) of FIG. 3 a, a first FIL TBC (320 a) and second FIL TBC (340 a) protect the fixed-length initialization vector (328 a) from exposure outside the system. A buffer (310) stores a fixed-length input string (311 a) and a variable-length input string (312). A first FIL TBC (320 a) is adapted to produce the fixed-length initialization vector (328 a). For example, the first FIL TBC (320 a) is adapted to produce the fixed-length initialization vector (328 a) using the fixed-length input string (311 a), as its input, and a combination (e.g., concatenation or other adjustment) of a tweak (318) for the system and the variable-length input string (312), as its tweak. In FIG. 3 a, the filled-in portion of the first FIL TBC (320 a) (and the second FIL TBC (340 a)) represents the tweak input. The value of the tweak (318) can be based on an environmental feature of the system (e.g., logical hard disk sector ID for FDE, memory address, last four digits of a credit card number for FPE).

In FIG. 3 a, the variable-input-length tweakable cipher (“VILTC”) (330) is adapted to produce a variable-length output string (352) using the fixed-length initialization vector (328 a) as a tweak. For example, the VILTC (330) is adapted to produce the variable-length output string (352) using the fixed-length initialization vector (328 a), as its tweak, and the variable-length input string (312), as its input.

In FIG. 3 a, the second Fill, TBC (340 a) is adapted to produce a fixed-length output string (351 a). For example, the second FIL TBC (340 a) is adapted to produce the fixed-length output string (351 a) using the fixed-length initialization vector (328 a), as its input, and a combination (e.g., concatenation or other adjustment) of the tweak (318) and the variable-length output string (352), as its tweak. Typically, the first FIL TBC (320 a) and the second FIL TBC (340 a) use the same value for the tweak (318). Another buffer (350) stores the fixed-length output string (351 a) and the variable-length output string (352).

FIG. 3 b shows a variation of the construction (300) that is adapted for format-preserving encryption and decryption. In the construction (301) of FIG. 3 b, a first N-character TBC (320 b) and second N-character TBC (340 b) protect the N-character initialization vector (328 b) from exposure outside the system. A buffer (310) stores an N-character input string (311 b) and a variable-length input string (312). A first N-character TBC (320 b) is adapted to produce the N-character initialization vector (328 b). For example, the first N-character TBC (320 b) is adapted to produce the N-character initialization vector (328 b) using the N-character input string (311 b), as its input, and a combination (e.g., concatenation or other adjustment) of a tweak (318) for the system and the variable-length input string (312), as its tweak. The value of the tweak (318) can be based on an environmental feature of the system (e.g., last four digits of a credit card number for FPE).

In FIG. 3 b, the VILTC (330) is adapted to produce a variable-length output string (352) using the N-character initialization vector (328 b) as a tweak. For example, the VILTC (330) is adapted to produce the variable-length output string (352) using the N-character initialization vector (328 b), as its tweak, and the variable-length input string (312), as its input.

In FIG. 3 b, the second N-character TBC (340 b) is adapted to produce an N-character output string (351 b). For example, the second N-character TBC (340 b) is adapted to produce the N-character output string (351 b) using the N-character initialization vector (328 b), as its input, and a combination (e.g., concatenation or other adjustment) of the tweak (318) and the variable-length output string (352), as its tweak. Typically, the first N-character TBC (320 b) and the second N-character TBC (340 b) use the same value for the tweak (318) for the system. Another buffer (350) stores the N-character output string (351 b) and the variable-length output string (352).

Characters of the N-character input string (311 b), the variable-length input string (312), the N-character output string (351 b), and the variable-length output string (352) are selected from a pre-determined, finite set of symbols (e.g., numbers 0 . . . 9, letters A . . . Z and numbers 0 . . . 9). Example values of N for an N-character input string (311 b), N-character initialization vector (328 b), and N-character output string (351 b) are N=1 or N=2. More generally, N can be any positive integer.

The generalized construction (301) can be implemented in various ways. For example, the first N-character TBC (320 b), the VILTC (330) and the second N-character TBC (340 b) can be constructed from randomly generated permutation look-up tables. Recall that, in general, each permutation in a TBC is associated with a tweak and a key. The tweak and the key, as inputs to the TBC, specify a particular permutation for the TBC. In some implementations (e.g., for FPE applications in the credit-card payment industry, where regulatory pressures are strong), users may prefer to avoid explicit keys. In such cases, the tweak is used to select among a family of randomly generated permutation look-up tables.

More generally, the first N-character TBC (320 b), the second N-character TBC (340 b), and the VILTC (330) can be implemented using special-purpose hardware or implemented using software that executes on general-purpose hardware. Typically, the two N-character TBCs (320 b, 340 b) are provided through two calls to a single N-character TBC component, with different inputs and outputs as described above. Alternatively, however, the N-character TBCs (320 b, 340 b) can be provided with two different N-character TBC components.

FIG. 3 c shows a variation of the construction (300) that is adapted for full-disk encryption and decryption. In the construction (302) of FIG. 3 c, a first N-bit TBC (320 c) and second N-bit TBC (340 c) protect the N-bit initialization vector (328 c) from exposure outside the system. A buffer (310) stores an N-bit input string (311 c) and a variable-length input string (312). Example values of N are 128 and 256 bits. Example length values for the variable-length input string (312) are 4096 bytes and 8192 bytes.

In FIG. 3 c, a first N-bit TBC (320 c) is adapted to produce an N-bit initialization vector (328 c). For example, the first N-bit TBC (320 c) is adapted to produce the N-bit initialization vector (328 c) using the N-bit input string (311 c), as its input, and a combination (e.g., concatenation or other adjustment) of a tweak (318) for the system and the variable-length input string (312), as its tweak. The value of the tweak (318) can be based on an environmental feature of the system (e.g., logical hard disk sector ID for FDE).

In FIG. 3 c, the VILTC (330) is adapted to produce a variable-length output string (352) using the N-bit initialization vector (328 c) as a tweak. For example, the VILTC (330) is adapted to produce the variable-length output string (352) using the N-bit initialization vector (328 c), as its tweak, and the variable-length input string (312), as its input.

In FIG. 3 c, the second N-bit TBC (340 c) is adapted to produce an N-bit output string (351 c). For example, the second N-bit TBC (340 c) is adapted to produce the N-bit output string (351 c) using the N-bit initialization vector (328 c), as its input, and a combination (e.g., concatenation or other adjustment) of the tweak (318) and the variable-length output string (352), as its tweak. Typically, the first N-bit TBC (320 c) and the second N-bit TBC (340 c) use the same value for the tweak (318) for the system. Another buffer (350) stores the N-bit output string (351 c) and the variable-length output string (352).

The generalized construction (302) can be implemented in many ways, as detailed below. The first N-bit TBC and the second N-bit TBC have identical structure. Alternatively, they have different structures.

For example, in one implementation, the first N-bit TBC (320 c) and/or the second N-bit TBC (340 c) is an LRW2 TBC construction (defined below; see section V.A), and the VILTC (330) is an iterated LRW2 TBC construction. As further detailed below, a LRW2 TBC construction is adapted to produce an n-bit LRW2 output string by computing an XOR between (1) an encrypted version of an XOR between (a) an n-bit LRW2 input string and (b) an n-bit hash of a tweak input, and (2) the n-bit hash of the tweak input. As another example, in another implementation, the first N-bit TBC (320 c) and/or the second N-bit TBC (340 c) is a domain-extended CLRW2 construction (defined below; see section V.A), and the VILTC (330) is an iterated CLRW2 construction.

The construction (302) can include a controller (not shown) that is adapted to adjust N (number of bits for the fixed-length input string and fixed-length output string) to trade off security and implementation efficiency. A smaller value of N (e.g., 128) provides worse security but simplifies efficient implementation subject to security constraints. On the other hand, a larger value of N (e.g., 256) provides better security but complicates efficient implementation subject to the security constraints.

In general, N can be any positive integer. The numbers N=128 and N=256 are suitable when the FIL and VIL components of the protected IV construction are constructed from an underlying 128-bit block cipher (e.g., AES). If the PIV construction is implemented using block ciphers of another size (such as DES, with block size of 64 bits), another value for N may be suitable (e.g., 64 or 128 bits).

The first N-bit TBC (320 c), second N-bit TBC (340 c), and VILTC (330) can be implemented using special-purpose hardware. Or, the first N-bit TBC (320 c), second N-bit TBC (340 c), and VILTC (330) can be implemented using software that executes on general-purpose hardware. Typically, the two N-bit TBCs (320 c, 340 c) are provided through two calls to a single N-bit TBC component, with different inputs and outputs as described above. Alternatively, however, the N-bit TBCs (320 c, 340 c) can be provided with two different N-bit TBC components.

The construction (302) can be interpreted as a type of three-round, unbalanced Feistel network, where the left part of the input is of a fixed bit length N, and the right part has variable length. The first and third round-functions are the N-bit TBCs ({tilde over (F)}) (320 c, 340 c). In example implementations, the bit length N is a tunable parameter of the construction, and can have a value such as N=128 or N=256. The VILTC (330) provides a middle round-function ({tilde over (V)}), whose tweak is the output of first round, the initialization vector (328 c).

Compared to a conventional VILTC {tilde over (V)} without a protected IV, the VILTC module {tilde over (V)} in a VILTC with protected IV (PIV[{tilde over (F)}, {tilde over (V)}]) can have lower security requirements. The target security property for PIV[{tilde over (F)}, {tilde over (V)}] is being STPRP-secure. Informally, being STPRP-secure means withstanding chosen-ciphertext attacks in which the attacker also has full control over all inputs. The attacker can, for example, repeat a tweak an arbitrary number of times. As detailed in section VII, if a TBC {tilde over (F)} is STPRP-secure over a domain of N-bit strings, and a tweakable cipher {tilde over (V)} is secure against attacks that never repeat a tweak, then PIV[{tilde over (F)}, {tilde over (V)}] is STPRP-secure. Qualitatively, the protected IV construction promotes security (over a large domain), against a restricted kind of attacker, into security against arbitrary chosen-ciphertext attacks. Quantitatively, the security bound for PIV[{tilde over (F)}, {tilde over (V)}] contains an additive term q²/2^(N), where q is the number of times PIV[{tilde over (F)}, {tilde over (V)}] is queried. N can be the block size n of some underlying block cipher. In this case, the PIV[{tilde over (F)}, {tilde over (V)}] delivers a bound comparable to those achieved by existing constructions. If N=2n, an n-bit primitive can be used to instantiate {tilde over (F)} and {tilde over (V)}, and yet PIV[{tilde over (F)}, {tilde over (V)}] delivers a tweakable cipher with security well beyond beyond-birthday of 2^(n/2) queries.

Formally, in example implementations, PIV[{tilde over (F)}, {tilde over (V)}] is constructed based on the following. The tweak space

={0,1}^(t) for some t≧0.

⊂{0,1}*, such that if Y∈

, then {0,1}^(|Y|) ⊂

. T′=

×

. For an integer N>0, the TBC {tilde over (F)}:

′×

′×{0,1}^(N)→{0,1}^(N), and the VILTC {tilde over (V)}:

×{0,1}^(N)×

→

. From these, PIV[{tilde over (F)}, {tilde over (V)}]: (

′×

)×

×X→X, where X={0,1}^(N)×

.

The PIV composition of {tilde over (F)}, {tilde over (V)} is a three round Feistel construction, working as follows. On input (T,X), the plaintext input string X=X_(L)∥X_(R) where the length of the fixed-length part |X_(L)|=N. The first TBC {tilde over (F)}, using a key K′, creates an N-bit string for the initialization vector IV={tilde over (F)}_(K′)(T∥X_(R), X_(L)). Next, the VILTC {tilde over (V)} uses this IV to encipher the variable-length input string X_(R) with a key K, creating a variable-length output string Y_(R)={tilde over (V)}_(K)(IV, X_(R)). The second TBC {tilde over (F)} creates an N-bit output string Y_(L)={tilde over (F)}_(K′)(T∥Y_(R), IV). The ciphertext output string Y_(L)∥Y_(R) is returned as the value of PIV[{tilde over (F)}, {tilde over (V)}]_(K′,K)(T, X).

Conversely, the inverse construction PIV[{tilde over (F)}, {tilde over (V)}]_(K′,K) ⁻¹(T, Y) operates as follows. On input (T, Y), the ciphertext input string Y=Y_(L)∥Y_(R) where the length of the fixed-length part |Y_(L)|=N. The first TBC {tilde over (F)}, using a key K′, creates an N-bit string for the initialization vector IV={tilde over (F)}_(K′)(T∥Y_(R), Y_(L)). Next, the VILTC {tilde over (V)} uses this IV to decipher the variable-length input string Y_(R) with a key K, creating a variable-length output string X_(R)={tilde over (V)}_(K)(IV, Y_(R)). The second TBC {tilde over (F)} creates an N-bit output string X_(L)={tilde over (F)}_(K′)(T∥X_(R), IV). The plaintext output string X_(L)∥X_(R) is returned as the value of PIV[{tilde over (F)}, {tilde over (V)}]_(K′,K) ⁻¹(T, Y).

In FIG. 3 c, the construction includes three rounds. Alternatively, the construction can include more rounds (e.g., 5 rounds or 7 rounds), with N-bit TBCs ({tilde over (F)}) starting and ending the construction, and with multiple VILTC {tilde over (V)} components alternating among the N-bit TBCs ({tilde over (F)}).

FIG. 4 shows a generalized technique (400) for using a VILTC with a protected IV. An encryption system or decryption system performs the technique (400).

The system receives (410) a fixed-length input string (e.g., N-bit input string, N-character input string) and a variable-length input string. For encryption (e.g., during FDE, FPE, AEAD or another encryption scenario), the fixed-length input string and the variable-length input string are plaintext. For corresponding decryption, the fixed-length input string and the variable-length input string are ciphertext.

The system produces (420) a fixed-length initialization vector (e.g., N-bit initialization vector, N-character initialization vector). For example, the fixed-length initialization vector is produced with a FIL TBC based on the fixed-length input string, as input for the FIL TBC, and a combination of a tweak for the system and the variable-length input string, as tweak for the FIL TBC. The FIL TBC can be an N-bit TBC or N-character TBC, for example. For the FIL TBC, the system can set the value of the tweak based on an environmental feature of the system (e.g., disk sector, memory address) or set the value of the tweak in some other way. Alternatively, the fixed-length initialization vector is produced in some other way.

The system also produces (430) a variable-length output string with a VILTC, which uses the fixed-length initialization vector as a tweak. For example, the VILTC produces the variable-length output string based on the fixed-length initialization vector (as tweak for the VILTC) and the variable-length input string (as input for the VILTC). Alternatively, the variable-length output string is produced in some other way.

The system obscures (440) the fixed-length initialization vector. For example, the fixed-length initialization vector is obscured by a FIL TBC, which produces a fixed-length output string (e.g., N-bit output string, N-character output string) based on the fixed-length initialization vector, as input for the FIL TBC, and a combination of the system tweak and the variable-length output string, as tweak for the FIL TBC. The FIL TBC can be an N-bit TBC or N-character TBC, for example. Alternatively, the fixed-length initialization vector is obscured in some other way.

Finally, the system outputs (450) the fixed-length output string and the variable-length output string. For encryption (e.g., during FDE, FPE, AEAD or another encryption scenario), the fixed-length output string and the variable-length output string are ciphertext. For corresponding decryption, the fixed-length output string and the variable-length output string are plaintext.

V. Example Implementations for VILTCs with Protected IVs

Within the general framework for VILTCs with protected IVs, the fixed-input length (“FIL”) part {tilde over (F)} and variable-input-length (“VIL”) part {tilde over (V)} can be constructed independently. This modular approach is beneficial since constructing efficient and secure instantiations of the VIL part {tilde over (V)} is typically easy, when tweaks can be assumed not to repeat. Constructing a FIL TBC {tilde over (F)} that remains secure when tweaks may be repeated is simplified by having it process plaintext inputs of a fixed bit length N (that is, N-bit block size). In practice, when N=128 or 256, inefficiencies incurred by {tilde over (F)} can be offset by efficiency gains in {tilde over (V)}.

There are security advantages to setting the block size N to be as large as possible, but building a FIL TBC {tilde over (F)} with domain {0,1}^(N) for a large N, and for which Ad

(C) approaches q²/2^(N), is complicated. In particular, at present, there are no efficient constructions that permit Ad

(C) to be smaller than O(q³/2^(2n)) when using an n-bit block cipher as a starting point, although a construction for which N=2n is described below.

Therefore, this section focuses on constructing TBCs {tilde over (F)} with a relatively small N (e.g., 128, 256). In particular, N-bit TBCs are constructed out of block ciphers. For n as the block size of the block cipher, N=n, and N=2n. This section describes two implementations of VILTCs with protected IVs, each using n-bit block ciphers.

The first example implementation (called TCT₁) provides birthday-bound security. When N=n, the implementation is secure up to roughly q=2^(n/2), which is the birthday bound with respect to the block cipher. With this security bound in mind, the implementation uses simple and efficient constructions of both {tilde over (F)} and {tilde over (V)}. TCT₁ uses only one block cipher invocation and some arithmetic, modulo a power of two, per n-bit block of input. In contrast, previous approaches to implementing VILTCs either use two block cipher invocations per n-bit block, or use per-block finite field operations.

The second example implementation (called TCT₂) delivers security beyond the birthday-bound. When N=2n, the implementation is secure up to roughly q=2^(n) queries. With this tighter security bound in mind, there are still reasonably efficient constructions. When compared to previous VILTCs with only birthday-bound security, TCT₂ incurs only some additional, simple arithmetic operations per n bit block of input. Again, this arithmetic is performed modulo powers of two, rather than in a finite field.

In the TCT₁ and TCT₂ implementations, the VIL component {tilde over (V)} is instantiated using counter-mode encryption over a TBC. The additional tweak input of the TBC permits various “tweak-scheduling” approaches, e.g., fixing a single per-message tweak across all blocks, or changing the tweak each message block. (There is a natural connection between changing the tweak of a TBC and changing the key of a block cipher. Both can be used to boost security, but changing a tweak is cleaner because tweaks need not be secret.) Re-tweaking on a block-by-block basis leads to a beyond birthday-bound secure VILTC with protected IV construction that admits strings of any length at least N.

The procedure TCTR provides counter-mode encryption over an n-bit TBC {tilde over (E)}. Within a call to TCTR, each n-bit block X_(i) of the input X is processed using a per-block tweak T₁, which is determined by a function g:

′×

→

of the input tweak T and the block index i, as follows:

procedure TCTR[{tilde over (E)}]_(K)(T,X): X₁,X₂,...,X_(v) 

 X for i = to v   T_(i) ← g(T,i); Z_(i) ← 

i 

    Y_(i) ← {tilde over (E)}_(K)(T_(i),Z_(i)) ⊕ X_(i) Return Y₁,Y₂,...,Y_(v)

In the procedure inverse TCTR, each n-bit block Y_(i) of the input Y is processed using a per-block tweak T_(i), as follows:

procedure TCTR[{tilde over (E)}]_(K) ⁻¹(T,Y): Y₁,Y₂,...,Y_(v) 

 Y for i = to v   T_(i) ← g(T,i); Z_(i) ← 

 i 

    X_(i) ← Y_(i) ⊕ {tilde over (E)}_(K)(T_(i),Z_(i)) Return X₁,X₂,...,X_(v)

In a VILTC with protected IV, the TBC {tilde over (F)} handles long tweaks. The tweaks can be compressed using an ∈-AU hash function at the cost of adding a q²∈ term to the tweakable cipher's TPRP security bound. In particular, some example implementations use a variation of the NH hash. The function NH[r, s]_(L) takes r-bit keys (|L|=r), maps r-bit strings to s-bit strings, and is 2^(s/2)-AU. Given a TBC {tilde over (E)}, {tilde over (E)}^(NH) denotes the resulting TBC whose tweak space is now the domain of NH, rather than its range.

A. Components of First and Second Example Implementations

The first and/or second example implementations use the following components.

The component LRW2 indicates a birthday-bound TBC that uses a block cipher E and a ∈-AXU₂ function H.

LRW2[H,E] _((K,L))(T,X)=E _(K)(X⊕H _(L)(T))⊕H _(L)(T).

The component CLRW2 is a TBC with beyond birthday-bound security, which uses a block cipher E and a ∈-AXU₂ function H.

CLRW2[H,E] _((K) ₁ _(,K) ₂ _(,L) ₁ _(,L) ₂ ₎(T,X)=LRW2[H,E] _((K) ₂ _(,L) ₂ ₎(T,LRW2[H,E] _((K) ₁ _(,L) ₁ ₎(T,X)).

The component polyH^(mn) is a ∈-AXU₂ function with domain ({0,1}^(n))^(m) and ∈=m/2^(n). All operations are in F_(2n).

${{poly}\; {H_{L}^{mn}\left( {T_{1}T_{2}\mspace{14mu} \ldots \mspace{14mu} T_{m}} \right)}} = {\underset{i = 1}{\overset{m}{\oplus}}{T_{i} \otimes {L^{i}.}}}$

The component NH(vw, 2tw) is a ∈-AXU₂ function with ∈=1/2^(tw). Inputs are vw bits, where v is even and w>0 is fixed.

NH[v,t] _(K) _(1∥ . . . ∥) _(K) _(v+2(t−1)) (M)=H _(K) _(1 . . .) _(K) _(v) (M)∥H _(K) _(3 . . .) _(K) _(v+2) (M)∥ . . . ∥H _(K) _(2t−1 . . .) _(K) _(v+2t−2) (M), where

H _(K) _(1∥ . . . ∥) _(K) _(v) (X ₁ . . . X _(v))=Σ_(i=1) ^(v/2)(K _(2i−1)+_(w) X _(2i−1))·(K _(2i)+_(w) X _(2i))mod 2^(2w).

The component CDMS is a Feistel-like domain extender for TBC {tilde over (E)}.

CDMS[{tilde over (E)}]_(K)(T,L∥R)={tilde over (E)} _(K)(10∥T∥R′,L′)∥R′, where R′={tilde over (E)} _(K)(01∥T∥L′,R) and

L′={tilde over (E)} _(K)(00∥T∥R,L).

B. First Example Implementation TCT₁

The first example implementation TCT₁ is an efficient implementation with birthday-type security for applications with small plaintext messages (e.g., FDE). For this implementation, the size of the N-bit TBC is N=n, and the n-bit TBC {tilde over (F)} uses an LRW2 component. In addition to a block cipher E, LRW2[H,E] uses an ∈-AXU₂ hash function H. In theory, the LRW2 component can accommodate large tweaks. For practical purposes, however, it will be more efficient to implement LRW2 with a small tweak space, and then extend this small tweak space using a fast ∈-AU hash function. For the ∈-AXU₂ hash function itself, the first example implementation uses the polynomial hash polyH.

FIGS. 5 a-5 c illustrate components of the first example implementation TCT₁ (500), which takes a tweak T and message X as inputs. The message X is split into blocks X₁, X₂, . . . , X_(v), where the length of the all blocks except the last block X_(v) is n, and the length of the last block X_(v) is less than or equal to n. TCT₁ produces an output string Y=Y₁, Y₂, . . . , Y_(v). The block size of the FIL components is N=n. For k, n>0, E:{0,1}^(k)×{0,1}^(n)→{0,1}^(n) is a block cipher. TCT₁=PIV[{tilde over (F)}, {tilde over (V)}], where to obtain a τn-bit tweak space and domain {0,1}^({n,n+1, . . . ,ln}), the n-bit TBC {tilde over (F)} and VILTC {tilde over (V)} are set as follows.

The n-bit TBC {tilde over (F)}=LRW2[polyH^(2n), E]^(NH[(l+τ)n,2n]). That is, the n-bit TBC {tilde over (F)} is a LRW2 component with its tweak space extended using NH. The key space for {tilde over (F)} is {0,1}^(k)×{0,1}^(2n)×{0,1}^((l+τ)n), with key K′ being partitioned into keys for E, polyH^(2n), and NH[(l+τ)n, 2n]. Since NH supports only fixed-length inputs, NH inputs are implicitly padded with a 1 and then enough 0s to reach a total length of (l+τ)n bits.) The tweak space for {tilde over (F)} is {0,1}^({0, 1, 2, . . . , (l+τ−1)n}).

FIG. 5 a shows a first n-bit TBC {tilde over (F)}′_(K′) (520) that accepts a tweak input (510) and message input. The message input is the first n-bit block X₁. The tweak input (510) is a tweak value T concatenated with a padded version of the remaining blocks of the message X. The fraction Pad( ) maps s to s∥10^((l+1)n−1−|s|). The first n-bit TBC {tilde over (F)}′_(K′) (520) produces an n-bit IV (538).

FIG. 5 a also shows a second n-bit TBC {tilde over (F)}′_(K′) (520) that accepts a tweak input (560) and message input. The message input is the n-bit IV (538). The tweak input (560) is the tweak value T concatenated with a padded version of blocks Y₂ . . . Y_(v) of the variable-length output string Y. The second n-bit TBC {tilde over (F)}′_(K′) (520) produces the first block Y₁ of the variable-length output string Y.

FIG. 5 b shows details of an n-bit TBC {tilde over (F)}′_(K′) (520). The NH function (521) accepts a tweak value with (l+r)×n bits and produces a tweak value with 2n bits. The polyH^(2n) function (522) produces an n-bit tweak value from the 2n-bit tweak value. The block cipher (523) encrypts the n-bit tweak value XOR'd with an n-bit input value (which varies between the first n-bit TBC {tilde over (F)}′_(K′) (X₁) and second n-bit TBC {tilde over (F)}′_(K′) (the n-bit IV)). The output of the block cipher (523) is then XOR'd with the n-bit tweak value, to produce n-bit output.

The VILTC {tilde over (V)}=TCTR[LRW2[polyH^(n), E]]. For the TCTR procedure, g: {0,1}^(n)×

→{0,1}^(n), as g(T, i)=T. The key space for {tilde over (V)} is {0,1}^(k)×{0,1}^(n) with key K being partitioned into keys for E and polyH^(n). The tweak space for {tilde over (V)} is {0,1}^(n), and its domain is {0,1}^({0,1, . . . , (l−1)n}).

As shown in FIG. 5 a, the TCTR for VILTC {tilde over (V)} is implemented as a series of components TBC {tilde over (F)}_(K) (540). Each TBC {tilde over (F)}_(K) (540) accepts, as tweak input, the n-bit IV (538). Each TBC {tilde over (F)}_(K) (540) also accepts, as message input, a padded counter value

i

, for 0≦i≦v−2. The output of each TBC {tilde over (F)}_(K) (540) is XOR'd with an n-bit block X_(i+2) of the message X to produce a block Y_(i+2) of the variable-length output string Y.

FIG. 5 c shows details of an n-bit TBC {tilde over (F)}_(K) (540). The polyH^(n) function (542) produces a resulting n-bit tweak value from an input n-bit tweak value. The block cipher (543) encrypts the resulting n-bit tweak value XOR'd with an n-bit input value (padded counter value). The output of the block cipher (543) is then XOR'd with the resulting n-bit tweak value, to produce an n-bit output.

C. Second Example Implementation TCT₂

The second example implementation TCT₂ provides beyond birthday-bound security. For this implementation, the size of the N-bit TBC {tilde over (F)} is N=2n. The 2n-bit TBC {tilde over (F)} uses a variation of CDMS component, which includes several n-bit TBCs as part of CLRW2 components to provide beyond-birthday-bound security. The tweak space is extended using NH, with range of NH set to {0,1}^(2n). Ultimately, setting {tilde over (F)}=CDMS[CLRW2]^(NH) is secure against up to around 2^(2n/3) queries. The CLRW2 component also is used in a beyond birthday-bound secure VILTC component, namely {tilde over (V)}=TCTR[CLRW2[E, H]], at least for l=o(q^(1/4)). TCT₂ supports τn-bit tweaks and has domain {0,1}^({2n,2n+1, . . . ,ln}).

FIGS. 6 a-6 c illustrate components of the second example implementation TCT₂ (600), which takes a tweak T and message X as inputs. The message X is split into blocks X₁, X₂, . . . , X_(v), where the length of the all blocks except the last block X_(v) is n, and the length of the last block X_(v) is less than or equal to n. The length of the message X is between 2n and l n bits. TCT₂ produces an output string Y=Y₁, Y₂, . . . , Y_(v). The block size of the FIL components is N=2n. For k, l, n, τ>0, E: {0,1}^(k)×{0,1}^(n)→{0,1}^(n) is a block cipher. TCT₂=PIV[{tilde over (F)}, {tilde over (V)}], where the 2n-bit TBC {tilde over (F)} and VILTC {tilde over (V)} are set as follows.

The n-bit TBC {tilde over (F)}=CDMS[CLRW2[polyH^(6n), E]]^(NH[(l+τ−1)n,4n]). That is, the 2n-bit TBC {tilde over (F)} is a CDMS[CLRW2[polyH^(6n), E]] component with its tweak space extended using NH. The key space for {tilde over (F)} is {0,1}^(2k)×{0,1}^(12n)×{0,1}^((l+τ−1)n), with key K′ being partitioned into two keys for E, two keys for polyH^(6n), and a key for NH[ln, 4n]. The tweak space for {tilde over (F)} is

FIG. 6 a shows a first 2n-bit TBC {tilde over (F)}′_(K′) (620) that accepts a tweak input (610) and message input. The message input is the first two n-bit blocks X₁ and X₂. The tweak input (610) is a tweak value T concatenated with a padded version of the remaining blocks of the message X. The first 2n-bit TBC {tilde over (F)}′_(K′) (620) produces a 2n-bit IV (638).

FIG. 6 a also shows a second n-bit TBC {tilde over (F)}′_(K′) (620) that accepts a tweak input (660) and message input. The message input is the 2n-bit IV (638). The tweak input (660) is the tweak value T concatenated with a padded version of blocks Y₃ . . . Y_(v) of the variable-length output string Y. The second 2n-bit TBC {tilde over (F)}′_(K′) (520) produces the first two blocks Y₁ and Y₂ attic variable-length output string Y.

FIG. 6 b shows details of a 2n-bit TBC {tilde over (F)}′_(K′) (620). The NH function (621) accepts a tweak value with (l+r−1)×n bits and produces a tweak value T″ with 4n bits. The 2n-bit input, which varies between the first 2n-bit TBC {tilde over (F)}′_(K′) (X₁ and X₂) and second 2n-bit TBC {tilde over (F)}′_(K′) (the 2n-bit IV), is split into two n-bit inputs. The first n-bit input is provided to a first CLRW2[polyH^(6n), {tilde over (E)}_(K)] component (622), which also accepts a 6n-bit tweak value. The 6n-bit tweak value is determined by concatenating a padded version of the 4n-bit tweak value T′ (padded with n zero bits out to a length of 5n bits) and the second n-bit input. The first CLRW2 [polyH^(6n), {tilde over (E)}_(K)] component (622) produces an n-bit output value, which is concatenated after a padded version of the 4n-bit tweak value T′ (padded with n zero bits out to a length of 5n bits) to form a 6n-bit tweak value for the second CLRW2 [polyH^(6n), {tilde over (E)}_(K)] component (622). The second CLRW2[polyH^(6n), {tilde over (E)}_(K)] component (622), which also accepts the second n-bit input, produces an n-bit output. Similarly, a third CLRW2[polyH^(6n), {tilde over (E)}_(K)] component (622) processes the n-bit output value from the first CLRW2 component (622) and a 6n-bit tweak value (formed as shown in FIG. 6 b), producing another n-bit output. The n-bit outputs from the second and third CLRW2 components (622) are concatenated into a 2n-bit output of the CDMS component (620).

FIG. 6 c shows details of CLRW2[polyH^(rn), {tilde over (E)}_(K)] component, where r can be 6 (as in the components (622) of FIG. 6 b) or 2 (as in the components (640) of FIG. 6 a). The first polyH^(rn) function (642) produces an n-bit tweak value from an input r·n-bit tweak value. The first block cipher (643) (with key K1) encrypts the n-bit tweak value XOR'd with an n-bit input value. The output of the first block cipher (643) is then XOR'd with the n-bit tweak value, to produce an n-bit intermediate value. The second polyH^(rn) function (642) produces an n-bit tweak value from the input r·n-bit tweak value. The second block cipher (643) (with key K2) encrypts the n-bit tweak value XOR'd with the n-bit intermediate value. The output of the second block cipher (643) is then XOR'd with the n-bit tweak value, to produce an n-bit output value.

The VILTC {tilde over (V)}=TCTR [CLRW2[polyH^(2n),E]]. For the TCTR function, g: {0,1}^(n)×

→{0,1}^(n), as g(T, i)=T. The key space for {tilde over (V)} is {0,1}^(2k)×{0,1}^(4n), with key K being partitioned into two keys for E and two keys for polyH^(2n). The tweak space for {tilde over (V)} is {0,1}^(2n), and its domain is {0,1}^({0, 1, 2 . . . ,(l−2)n}). TCT₂ uses 4k+(l+τ+15)n bits of key material.

As shown in FIG. 6 a, the TCTR for VILTC {tilde over (V)} is implemented as a series of components TBC {tilde over (F)}_(K) (640). Each TBC {tilde over (F)}_(K) (640) is implemented as CLRW2[polyH^(2n), {tilde over (E)}_(K)]component. Each TBC {tilde over (F)}_(K) (640) accepts, as tweak input, the 2n-bit IV (638). Each TBC {tilde over (F)}_(K) (640) also accepts, as message input, an n-bit padded counter value

i

, for 0≦i≦v−3. The n-bit output of each TBC {tilde over (F)}_(K) (640) is XOR'd with an n-bit block X_(i+3) of the message X to produce a block Y_(i+3) of the variable-length output string Y. FIG. 6 c details a CLRW2[polyH^(rn), {tilde over (E)}_(K)] component for TBC {tilde over (F)}_(K) (640), where r=2.

D. Variations and Practical Considerations

This section describes several variations of TCT₁ and TCT₂. None of these changes significantly impact the security bounds for these implementations, unless otherwise noted.

Reducing the Number of Block Cipher Keys.

In the case of TCT₁, a single key can be used for both LRW2 instances, provided that domain separation is enforced through the tweak. This allows use of a single key for the underlying block cipher, which in some situations may allow for significant implementation benefits (for example by allowing a single AES pipeline). One method that accomplishes this is to replace LRW2[polyH^(2n), E]^(NH[l+1)n, 2n]) with LRW2[poly^(3n), E]^(ƒ(ε,•)) and LRW2 [polyH^(n), E] with LRW2 [polyH^(3n), E]^(ƒ(•,ε)). Here, ƒ is a 2^(−n)-AU function with key space {0,1}^(3n)×0,1^(ln), taking inputs of the form (X, ε) (for some X ∈{0,1}^(n)) or (ε, Y) (for some Y∈{0,1}^({0,1, . . . , ln})), and outputting a 3n-bit string. Let ƒ_(L)(X, ε)=0^(2n)∥X and ƒ_(L)(ε, Y)=1^(n)∥NH [(l+1)n, 2n]_(L) (Y). The function ƒ described here is a mathematical convenience to unify the signatures of the two LRW2 instances, thereby bringing tweak-based domain separation into scope; in practice, the two instances can be implemented independently, save for a shared block cipher key. TCT₂ can be modified in a similar manner to require only two block cipher keys.

Performance Improvements.

For a FIL TBC, NH [ln, 2n] can be used in place of NH[(l+1)n, 2n] by adjusting the padding scheme appropriately. Also, in the TCTR portion for the second example implementation TCT₂, the polyH functions can be computed once per CLRW2 component, since each LRW2 invocation uses the same tweak.

One possible implementation of TCT₂ uses 72 finite field multiplications during the two FIL phases (a result of evaluating polyH^(6n) twelve times). Alternatively, an implementation can cache an intermediate value of the polyH^(6n) hash used inside of CDMS (four n-bit tweak blocks are constant per invocation), which saves 32 finite field multiplications. Pre-computing the terms of the polynomial hash corresponding to the domain-separation constants eliminates 12 more multiplications, leaving 28 in total. Four more are used during the VIL phase, giving a count of 32.

Handling Large Message Spaces.

Both TCT₁ and TCT₂ are designed with FDE applications in mind. In particular, they use a value l that is fixed ahead of time, and use more than ln bits of key material. These limitations are a consequence of using the NH hash function. A simple extension to NH, however, accommodates arbitrarily long strings. For a positive integer r, NH_(L)*(M₁M₂ . . . M_(v))=NH_(L) (M₁)∥NH_(L)(M₂)∥ . . . ∥NH_(L)(M_(v))∥

|M|mod rn

, where |M_(i)|=rn for i<v, |M_(v)|≦rn and NH_(L) abbreviates NH_(L) [rn, 2N]. Thus defined, NH* is 2^(−N)-almost universal, has domain {0,1}*, and requires rn bits of key material. This modification shifts some of the weight to the polyH hash. Eight extra finite field multiplications are used for each additional rn bits of input.

With these modifications, the final two terms in TCT₁'s security bound (see section 7) become 8q²/2^(n)+600q²l²/r²2^(n)+4q²(l−1)²/2^(n), where ln is now the length of the adversary's longest query, l>2.5 r, and the remaining terms measure the (S)PRP security of the underlying block cipher. Assuming 2^(n)≧rn, |M| mod rn can be encoded within a single n-bit block. Although the constant of 600 is large, setting r=16, for example, reduces it to a more comfortable size—in this case to less than three. The bound for TCT₂ changes in a similar manner. (Also, if 2^(n−2)≧rn, a single n-bit block can be used for both the tweak domain-separation constants and <|M|mod rn>.)

Beyond Birthday-Bound Security for Long Messages.

When l is not bounded to some small or moderate value. TCT₂ no longer provides beyond-birthday-bound security. The problematic term in the security bound is q(l−1)²/2^(n). To address this, a different per-block tweak function can be used in the TCTR procedure. In particular, g(T, i)=T∥<i>. In the nonce-respecting case, the underlying TBC {tilde over (E)} is then re-tweaked with a never-before-seen value on each message block. If {tilde over (E)} were to be replaced by an ideal cipher Π, in the nonce-respecting case, every block of plaintext would be masked by the output of a fresh random permutation. In other words, every block returned will be uniformly random. Thus, a tight bound is expected in this case. Alternatively, one could use Z_(i)←0^(n), and the same would be true.

E. Instantiating VILTCs with Protected IV Using Conventional Encryption

Alternatively, the VILTC {tilde over (V)} can be realized directly using conventional block cipher-based encryption. Consider the following implementations of {tilde over (V)} and {tilde over (V)}⁻¹.

procedure {tilde over (V)}_(K) (T, X): X₁, X₂, ... , X_(b) 

 X for i = 1 to b Y_(i) ← E_(K) ( 

 T + i 

 )⊕X_(i) Return Y₁, Y₂, ... , Y_(b)

procedure {tilde over (V)}_(K) ⁻¹ (T, Y): Y₁, Y₂, ... , Y_(b) 

 Y for i = 1 to b X_(i) ← Y_(i)⊕E_(K) ( 

 T + i 

 ) Return X₁, ... , X_(b)

procedure {tilde over (G)}_(K)(T,X): X₁,X₂,...,X_(b) 

 X K ← f_(K)(T) for i = 1 to b   Y_(i) ← E _(K) ( 

 T + i 

 )⊕X_(i) Return Y₁,Y₂,...,Y_(b)

procedure {tilde over (G)}_(K) ⁻¹(T,Y): Y₁,Y₂,...,Y_(b) 

 Y K ← f_(K)(T) for i = 1 to b   X_(i) ← Y_(i)⊕E _(K) ( 

 T + i 

 ) Return X₁,...,X_(b)

This implementation of the VILTC {tilde over (V)} uses counter-mode encryption, but with the initial value T surfaced as an input to make it a tweakable cipher. Unfortunately, this implementation of the VILTC {tilde over (V)} lacks SRND-security against nonce-respecting adversaries. Nonetheless, it can be modified as follows with security

${{Adv}(A)} = {{\Pr\left\lbrack {K\overset{\$}{}{:\left. A^{{{\overset{\sim}{}}_{K}{( \cdot )}},{{\overset{\sim}{}}_{K}^{- 1}{( \cdot )}}}\Rightarrow 1 \right.}} \right\rbrack} - {{\Pr \left\lbrack A^{{\$ {( \cdot )}},{\$ {( \cdot )}}}\Rightarrow 1 \right\rbrack}.}}$

Given {tilde over (E)} with tweak space

and message space X, the oracle

_(K) takes a query X∈X and: (1) samples T

, (2) returns E_(K)(T, X). Oracle

_(K) ⁻¹ behaves likewise on input Y ∈X, sampling T

and returning E_(K) ⁻¹(T, Y).

VI. Authenticated Encryption/Decryption with Associated Data Using VILTCs

Authenticated encryption with associated data (“AEAD”) provides a way to authenticate messages that are sent with headers. For example, when a plaintext message is transformed into ciphertext in a way that protects its privacy and authenticity, there may be a packer header or other auxiliary information that accompanies the message and should be authenticated with the message. If a message is augmented with a nonce and redundancy, one can obtain authenticated encryption by passing the encoded message directly through an SPRP-secure block cipher with a sufficiently large domain.

This section describes ways to implement AEAD using VILTC components. The VILTC components can include VILTC components with protected IVs or VILTC components without protected IVs. In particular, this section identifies the salient properties of the mapping from header-message pairs (H, M) to tweakable cipher inputs (T, X). In addition to its simplicity, there are several practical advantages of implementing AEAD with VILTCs.

Authenticated encryption with VILTCs admits associated data and can withstand nonce-misuse. The tweak can be used effectively to bind a message header to the ciphertext.

Additionally, one can explore the effects of randomness, state or redundancy present in the message and the header inputs. For example, randomness and state can be shifted to the header without loss of security, potentially reducing the number of bits that must be processed cryptographically. In particular, this can reduce bandwidth overhead by leveraging nonces, randomness and redundancy already present in plaintext inputs. Messages in protocols that include sequence numbers, human-readable fields, or padding often contain useful nonces and redundancy.

AEAD with VILTCs also allows for multiple decryption error messages, while remaining robust against side-channel attacks that seek to exploit them (e.g., padding oracles). Use of multiple descriptive error messages can be quite useful in practice, but has often empowered damaging attacks. These attacks fail against AEAD schemes with VILTCs because, loosely, changing any bit of a ciphertext will randomize every bit of the decrypted plaintext string. Thus, AEAD with VILTCs offers robustness even in the face of certain side channels and common implementation mistakes. Descriptive error messages (e.g., bad_padding or bad_seq_number) cannot be leveraged to forge useful future ciphertext. Further, nonce repetitions only leak equality of plaintext.

This AEAD approach also works for FPE. To transparently insert an encryption layer into legacy systems (e.g., to database schemas or protocol specifications) with minimal changes, FPE uses ciphertext that has the same format as plaintext. For example, both might be restricted to the set Σ^(n), for some (often non-binary) alphabet Σ. This precludes inserting dedicated IVs into ciphertext. One can compensate by using associated data to tweak encryption, making tweakable ciphers and their security definitions a natural fit. Unique associated data guarantees privacy in a more standard sense, and checking redundancies such as credit card Issuer Identification Numbers and checksums) provides authenticated encryption.

In general, given a header Hand a message M, an AEAD scheme with a VILTC encodes (H, M) into a tweakable cipher input (T, X). For a Nonce of some fixed length, suppose T=Nonce∥H, and X=Nonce∥M. The header H is transmitted. The ciphertext cannot simply be C={tilde over (E)}_(K)(T, X), however, because the Nonce value is also needed for decryption. So, the ciphertext should be (Nonce, C). In this example, T=Nonce∥H was an encoded header, and X=Nonce∥M was an encoded message. The symbols T and X are replaced with H and M, respectively. The mapping from H to H=Nonce∥H is non-deterministic, but can be completely reproduced provided one knows Nonce, which acts as reconstruction information. The message encoding function uses the reconstruction information, and therefore has a different signature than the header encoding function. Also, the reconstruction information should not depend on M. The recipient computes M={tilde over (E)}K⁻¹( H, C), and verifies that Nonce is a prefix of M in M=Nonce∥M.

More formally, an AEAD scheme is a tuple Ψ=(

, ε,

) consisting of a key-generation algorithm

, an encryption algorithm ε, and a decryption algorithm

. For simplicity, the key-generation algorithm 3C is assumed to sample a key from a non-empty set of the same name. The encryption algorithm, which may be randomized or stateful, is a mapping ε:

×x

×

→

×{0,1}*. Thus, encryption takes a key K∈

, a header H∈

⊂{0,1}*, and a message M∈

⊂{0,1}* and returns some reconstruction information R∈

, along with ciphertext C. (R, C)

ε_(K)(H, M) represents running ε_(K) on (H, M), which returns (R, C). The deterministic decryption algorithm is a mapping

:

×

×

×{0,1}*→M∪Errors, where Errors is a set such that

∩Errors=Ø. (|Errors| need not equal 1.) For proper operation, Pr[

_(K)(H, ε_(K)(H, M))=M]=1 for all K∈

, H∈

and M∈

. If ε is stateful, this holds for all states.

In practice, the header H is typically transmitted in the clear along with the ciphertext (e.g., when the header is needed for routing), but AEAD schemes with VILTCs may also encode H into some related H for internal use. If this encoding is non-deterministic, the reconstruction information R delivers whatever is used by decryption to properly reconstruct this H from H. For example, R may consist of a counter, some random bits, or some redundancy. It may also be the empty string.

To avoid constructions that are trivially insecure by virtue of writing message or key bits into R, the following conditions apply. Given any sequence of inputs {(H_(i), M_(i))}_(i≦q) and any two sequences of possible outcomes {(R_(i), C_(i))}_(i≦q) and {(R_(i)′, C_(i)′)}_(i≦q), then for any H∈

, M, M′∈

, K, K′∈

, and r ∈

, Pr[R=r T ε_(K) (H_(i), M_(i))=(R_(i), C_(i)) for i≦q]=Pr[R′=r|ε_(K′)(H_(i)′, M_(i)′)=(R_(i)′, C_(i)′) for i≦q], where (R, C)

ε_(K)(H, M) and (R′, C′)

ε_(K) (H, M′), the states of ε_(K) and ε_(K′) being conditioned on the two transcripts, respectively. That is, R (hence, R′) can depend only on H, q, and coins tossed by ε_(K) on the query that generates R.

By allowing |Errors|>1, an AEAD scheme can return multiple, distinct error messages. This can be useful in practice, for example, for diagnostics within a protocol session.

Ideally, ciphertext is indistinguishable from random bits. Reconstruction information might not be random (e.g., R might be a counter), however, so the usual IND$-CPA notion is modified. To be specific, the privacy of an AEAD scheme Ψ is measured via the following advantage:

${{Adv}_{\Psi}^{priv}(A)} = {{\Pr\left\lbrack {{K\overset{\$}{}};{A^{ɛ_{K}{({\cdot {, \cdot}})}}1}} \right\rbrack} - {{\Pr\left\lbrack {{K\overset{\$}{}};{A^{\$_{K}{({\cdot {, \cdot}})}}1}} \right\rbrack}.}}$

$_(K) (•,•) is an oracle that, on input (H, M), computes (R, C)

ε_(K)(H, C), samples Y

{0,1}^(|C|), and returns (R, Y). The authenticity goal is the integrity of ciphertext. Namely,

${{{Adv}_{\Psi}^{{int}\text{-}{ctxt}}(A)} = {\Pr \left\lceil {{K\overset{\$}{}};{A^{{ɛ_{K}{({\cdot {, \cdot}})}},{_{K}{({\cdot {,{\cdot \cdot}}})}}}{Forges}}} \right\rceil}},$

where the Boolean event Forges is true if and only if A asks a query (H, R, C) to its

_(K) oracle such that (1)

_(K) (H, R, C) ∉ Errors, and (2) no prior query to ε_(K)(•, •) returned (H, R, C). Without loss of generality, A halts as soon as Forges becomes true.

A. Encoding and Decoding Schemes.

Informally, an encoding algorithm reformats its input, and injects randomness, state or redundancy, while a decoding algorithm validates and distills out the original input data.

More formally, in example implementations, the AEAD scheme (and corresponding decryption) use a message space

, a header space

, an encoded message space

⊂{0,1}*, and an encoded header

⊂{0,1}*. These sets are non-empty, but could equal {ε}. For a set Errors, Errors ∩

=Ø.

A header encoding function Encode_(H):

→

maps headers to encoded headers, possibly in some random or stateful fashion. There are a non-empty set

and a bijection

Ω,•

:

×

→

with the property that for all H, Encode_(H)(H)=

R, H

for some R∈

. In other words, H can be recovered from Encode_(H)(H), and any particular output of Encode_(H)(H) can be reconstructed from H given the corresponding R. Encode_(H) is (

,

,

)-encoder (leaving

•,•

implicit.

A message encoding scheme EncodeMsg=(Encode_(M), Decode_(M)) consists of a message encoding function Encode_(M):

×

→

and a message decoding function Decode_(M):

×

→

∪Errors. Encode_(M) can be randomized or stateful. Decode_(M)( H, M)=M∈

if and only if Pr[Encode_(M)( H, M)= M]>0 for some state of Encode_(M); otherwise. Decode_(M) ( H, M) ∈ Errors. It is possible, for example, for Decode_(M)=( H, M)=(⊥, H, M) ∈ Errors). The Decode_(M) algorithm is deterministic, and all algorithms should run in linear time. EncodeMsg is a (

,

,

,

, Errors)-encoding scheme.

The encoding functions have an associated maximal stretch. This is defined to be the smallest s ∈

such that, for all H∈

, H∈

, and M∈

, |Encode_(H) (H)|≦|(H)|≦|H|+s and |Encode_(M)( H, M)|≦|M|+s.

One key property of the encoding mechanisms relates to the likelihood that an encoding scheme can be made to repeat outputs. Let A be an adversary that asks q queries (not necessarily distinct) to an oracle ƒ, receiving Y ₁, Y ₂, . . . , Y _(q) response, and that halts by outputting these values. (ƒ can be a message- or header-encoding function.) A can be assumed to be deterministic. δ:

→[0,1] is a function. ƒ is (d, δ)-colliding if Pr[A^(ƒ)

( Y ₁, Y ₂, . . . , Y _(q)): ∃i₁<i₂< . . . <i_(d) such that Y _(i) ₁ = Y _(i) ₂ = . . . = Y _(i) _(d) ]≦δ(q). This notion is only defined for d≧2. Given a (d, δ)-colliding oracle, it can be assumed that δ(0)=δ(1)=0.

A second key property captures the probability that a random string (of a given length) is a valid encoding. In essence, this is a measure of the density of encodings. ∈∈

is a real number. The (

,

,

,

, Errors)-encoding scheme EncodeMsg=(Encode_(M), Decode_(M)) is ∈-sparse if for all positive integers n and all H∈

, |{C∈{0,1}^(n): Decode(H, C) ∉Errors}|/2^(n)≦∈.

B. AEAD Via Encode-then-Encipher, Corresponding Decipher-then-Decode.

FIG. 7 shows a generalized technique (700) for authenticated encryption with associated data using a VILTC. An encryption system performs the technique (700).

The encryption system receives (710) a header and a message. The encryption system processes (720) the message using a VILTC to provide authenticated encryption with associated data. The VILTC uses a protected IV. Alternatively, the VILTC is a conventional VILTC. A tweak for the VILTC is based at least in part on the header. The processing produces an encrypted message. The encryption system outputs (730) the header and the encrypted message.

For example, as part of the processing (720) of the message, the encryption system determines a modified header using the header and reconstruction information, then determines a modified message using the message and the modified header. The encryption system encrypts the modified message using the VILTC, with the modified header providing the tweak for the VILTC. The encryption system outputs (730) the reconstruction information along with the header and encrypted message.

The encryption system can repeat the technique (700) for one or more other messages.

FIG. 8 shows a generalized technique (800) for authenticated decryption with associated data using a VILTC. A decryption system performs the technique (800).

The decryption system receives (810) a header and an encrypted message. The decryption system processes (820) the encrypted message using a VILTC to provide authenticated decryption with associated data. The VILTC uses a protected IV. Alternatively, the VILTC is a conventional VILTC. A tweak for the VILTC is based at least in part on the header. The processing produces a decrypts message, which the decryption system outputs (830).

The decryption system can also receive reconstruction information. As part of the processing (820) of the encrypted message, for example, the decryption system determines a modified header using the header and the reconstruction information, then decrypts the encrypted message using the VILTC, with the modified header providing the tweak for the VILTC, thereby producing a modified message. The decryption system determines the message using the modified message and the modified header.

Optionally, for an authentication step, the decryption system checks to see if the message is valid. For example, if a pre-determined number of “0” bits have been appended to a message during encryption, then decryption can check for the presence of those bits. If this check fails, then decryption outputs an error. There may be multiple different checks for a message to pass, and the output error(s) may vary depending on which (combination of) checks fail. (This is the “authenticated” part of “authenticated encryption” if an attacker tampers with an encrypted message, it will likely no longer be valid once decrypted.)

The decryption system can repeat the technique (800) for one or more other messages.

More formally, in example implementations, {tilde over (E)}:

×

×

→

is a tweakable cipher. Encode_(H) is a (

,

,

)-encoder, and EncodeMsg=(Encode_(M), Decode_(M)) is an (

,

,

,

, Errors)-encoding scheme, for some non-empty sets

,

, and

. From these, an encode-then-encipher AEAD scheme Ψ[Encode_(H), EncodeMsg, E] is defined as follows.

procedure ε_(K)(H,M): H ← 

 R,H 

 

 Encode_(H)(H) M 

 Encode_(M) ( H,M) Return R,{tilde over (E)}_(K)( H, M)

procedure 

 _(K)(H,R,C): H ← 

 R,H 

M ← {tilde over (E)}_(K) ⁻¹( H,C) Return Decode_(M)( H, M)

Reconstruction information R allows decryption to reconstruct H from the header (in lieu of sending H as part of the ciphertext, or forcing the calling application to replace H with H.)

As a simple example, Encode_(H) prepends an 64-bit counter R to the header H, and Encode_(M) ( H, M) returns M∥0⁸⁰. Then Encode_(H) is (2,0)-colliding, and Encode_(M) is 2⁻⁸⁰-sparse (but (2,1)-colliding). Authenticity checks implicitly take place inside the Decode_(M) function.

VII. Explanation of Results

This section provides a detailed justification for the results presented above.

Theorem 1—Security for VILTC with Protected IV.

A VILTC with a protected IV still includes a VILTC module within it. The VILTC with a protected IV has a larger domain, and the N-bit TBC provide advantages in terms of security.

For tweak spaces and message spaces (

,

,

′, X) as defined in section IV, and for TBC length N, {tilde over (F)}:

′×

′×{0,1}^(N)→{0,1}^(N) is a tweakable block cipher, and {tilde over (V)}:

×{0,1}^(N)×

→

is a VILTC. PIV[{tilde over (F)}, {tilde over (V)}]:(

′×

)×

×X→X. A is an adversary making q<2^(N)/4 queries totaling μ bits and running in time t. For adversaries B and C, making q and 2q queries, respectively, and both running in O(t) time,

${{{Ad}(A)} \leq {{{Ad}(B)} + {{Ad}(C)} + \frac{4q^{2}}{2^{N}}}},$

where B is nonce-respecting and whose queries total μ-qN bits in length.

The VIL portion {tilde over (V)} of the PIV composition needs to be SRND-secure against only nonce-respecting adversaries. It is easy to build efficient schemes meeting this requirement. Only the fixed-input length (“FIL”) portion {tilde over (F)} needs to be secure against STPRP adversaries that can use arbitrary querying strategies. Thus the PIV composition promotes nonce-respecting security over a large domain into full STPRP security over a slightly larger domain. If {tilde over (F)} is a good STPRP, then if any part of T or X is “fresh,” the string for the IV should be random. Hence, it is unlikely that an IV value is repeated, and so nonce-respecting security of the VIL component is enough. The same holds when deciphering, if any part of T, Y is “fresh.”

The term 4q²/2^(N) accounts for collisions in IV and the difference between {tilde over (F)} and a random function. This is a birthday-bound term in N, the block size of {tilde over (F)}. Since most TBC designs employ (one or more) underlying block ciphers, the block size N of {tilde over (F)} can be larger than the block size n of some underlying block cipher upon which it might be built. Indeed, given an n-bit block cipher (and a hash function), {tilde over (F)} can be built with N=2n.

If one removes the lower {tilde over (F)} invocation (after {tilde over (V)}) and returns IV∥Y_(R), the resulting composition does not generically deliver a secure STPRP. On the other hand, it is secure as a TPRP (just not a strong TPRP). For a message space {0,1}^(S)(S⊂

), a tweak space

, and a non-negative integer n≦min(S), let A be an adversary making at most q queries and running in time t.

${{Ad}(A)} \leq {{{Ad}(A)} + {\frac{q\left( {q - 1} \right)}{2^{{m\; i\; {n{(S)}}} + 1}}.}}$

This result is essentially a PRF-PRP switching lemma for TBCs, and reduces the problem to that of bounding Ad

(A).

Consider ε[{tilde over (V)}]=PIV[{tilde over (V)}, Π], where Π

BC(N) is an ideal cipher. The oracles in Game 1 (“G1”) (shown in FIG. 9) simulate ε[{tilde over (V)}] and ε[{tilde over (V)}]⁻¹ using lazy sampling to define Π, so Pr[A^(ε[{tilde over (V)}],ε[{tilde over (V)}]) ⁻¹

1]=Pr[G1(A)

1]. In FIG. 9, Game 1 includes the boxed statements.

In Game 2 (“G2”) (also shown in FIG. 9), “illegal” values are no longer resampled when defining Π. In FIG. 9, Game 2 does not include the boxed statements. The only changes in the code occur after a Boolean “bad” flag is set to true; by the Fundamental Lemma of Game-Playing:

Ad

(A)≦(Pr[G2(A)

1]−Pr[A ^($(•,•),$(•,•))

1])+Pr[G2(A);bad₁ Vbad₂ Vbad₃].

In Game 2, {tilde over (V)} is never queried using the same tweak twice, and the oracles in the game return values with a random n-bit prefix. In Games 1 and 2, Boolean variables are initialized to false.

In a third Game (“G3”) (not shown in FIG. 9), {tilde over (V)} is replaced by an oracle $(•,•) that always returns a random string equal in length to its second input. By a standard argument, there exists some nonce-respecting adversary B making q queries and running in O(t) time such that:

Pr[G2(A)

1]−Pr[G3(A)

1]≦Ad

(B).

This leads to:

Ad

(A)≦(Pr[G3(A)

1]−Pr[A ^($(•,•),$(•,•))

1])+Pr[G2(A);bad₁ Vbad₂ Vbad₃]+Ad

(B).

Each the first N bits of each oracle output (corresponding to Z_(i)′) are always uniformly random in Game 2. When {tilde over (V)} switches to $(•,•) in Game 3, the remaining bits also become uniformly random. Hence Pr[G3(A)

1]=P[A^($(•,•),$(•,•))

1].

The final task is to bound the probability that A sets a bad flag in Game 2. The probability that bad₁ is set during query j is less than j/(2^(N)−2j). Similarly, the probabilities of bad₂ and bad₃ being set are at most 2j/(2^(N)−2j) and 2^(j)/2^(N), respectively. Therefore, the probability that at least one flag is set during query j is at most 3j/(2^(N)−2j)+2j/2^(N)

Taking the union bound over j∈1, 2, . . . , q yields Pr[G1(A);

$\left. {{bad}_{1}\bigvee{bad}_{2}\bigvee{bad}_{3}} \right\rbrack \leq {{q^{2}\left( {\frac{1.5}{2^{N} - {2q}} + \frac{1}{2^{N}}} \right)}.}$

Since q<2^(N)/4, 1.5/(2^(N)−2q)<3/2^(N), With the previous results, using a standard argument to return to the computational setting completes the proof:

${{{Ad}(A)} \leq {{{Ad}(B)} + {{Ad}(C)} + \frac{4q^{2}}{2^{N}}}},$

where C makes 2q queries, B makes q queries of total length μ−qN bits without repeating a tweak, and both run in O(t) time.

Theorem 2—TCTR.

Consider the behavior of the procedure TCTR when g(T, i)=T. The TBC {tilde over (E)}: {0,1}^(k)×

×{0,1}^(n)→{0,1}^(n), and TCTR[{tilde over (E)}]_(K) and TCTR[{tilde over (E)}]_(K) ⁻¹ are defined as in the TCTR pseudocode listings of section V, with g(T, i)=T∈

. A is a nonce-respecting adversary that runs in time t and asks q queries, each of length at most ln bits (so, μ≦qln). Then, for some adversary B making at most ql queries and running in time O(t), Ad

(A)≦Ad

(B)+0.5ql²/2n. The bound displays birthday-type behavior when l=o(√{square root over (q)}), and is tightest when l is a small constant. An important application with small, constant is full-disk encryption. Here plaintext X would typically be 4096 bytes long, so if the underlying TBC has block size n=128, there are roughly l=256 blocks.

Theorem 3—STPRP Security of TCT₁.

For TCT₁ defined as in section V.B, A is an adversary making q<2^(n)/4 queries and running in time t. Adversaries B and C, both running in time O(t), make (l−1)q and 2q queries, respectively, such that

${{Ad}(A)} \leq {{{Adv}_{E}^{prp}(B)} + {{Adv}_{E}^{sprp}(C)} + \frac{32q^{2}}{2^{n}} + {\frac{4{q^{2}\left( { - 1} \right)}^{2}}{2^{n\;}}.}}$

It follows that:

${{Ad}(A)} \leq {\frac{4q^{2}}{2^{2n}} + {{Ad}\left( {t^{\prime},q} \right)} + {{Adv}_{\overset{\sim}{F}}^{sprp}\left( {t^{\prime},{2q}} \right)}} \leq {\frac{4q^{2}}{2^{n}} + \left\lbrack {\frac{{q\left( { - 1} \right)}^{2}}{2^{n}} + {{Ad}\left( {t^{\prime},{\left( { - 1} \right)q}} \right)}} \right\rbrack + {\quad{\left\lbrack {\frac{24q^{2}}{2^{n}} + \frac{4q^{2}}{2^{n}} + {{Adv}_{E}^{sprp}\left( {t^{\prime},{2q}} \right)}} \right\rbrack \leq {\frac{4q^{2}}{2^{n}} + \left\lbrack {\frac{{q\left( { - 1} \right)}^{2}}{2^{n}} + \frac{3{q^{2}\left( { - 1} \right)}^{2}}{2^{n}} + {{Adv}_{E}^{prp}\left( {{\left( { - 1} \right)q},t^{\prime}} \right)}} \right\rbrack + {\quad{\left\lbrack {\frac{28q^{2}}{2^{n\;}} + {{Adv}_{E}^{sprp}\left( {t^{\prime},{2q}} \right)}} \right\rbrack \leq {\frac{32q^{2}}{2^{n}} + \frac{{q\left( { - 1} \right)}^{2}}{2^{n}} + \frac{3{q^{2}\left( { - 1} \right)}^{2}}{2^{n}} + {{Adv}_{E}^{prp}\left( {{\left( { - 1} \right)q},t^{\prime}} \right)} + {{{Adv}_{E}^{sprp}\left( {t^{\prime},{2q}} \right)}.}}}}}}}}$

This algorithm requires 2k+(3+τ+l)n bits of key material, including two keys for {tilde over (E)}. A single key for E may suffice, however, with no significant damage to the security bound, although this improvement is motivated primarily by performance concerns. Thus, the TCT₁ implementation retains the security of previous constructions, and uses arithmetic in rings with powers-of-two moduli, rather than in a finite field. This may potentially improve performance in some architectures.

Theorem 4—STPRP Security of TCT₂.

For TCT₂ defined as in section V.C, A is an adversary making q queries and running in time t, where 6q, lq<2^(2n)/4. Adversaries B and C, both running in O(t) time, make (l−1)q and 6q queries, respectively, such that

${{Ad}(A)} \leq {{2{{Adv}_{E}^{prp}(B)}} + {2{{Adv}_{E}^{sprp}(C)}} + \frac{12q^{2}}{2^{2n}} + \frac{{q\left( { - 1} \right)}^{2}}{2^{n}} + \frac{6^{3}q^{3}}{2^{{2n} - 2} - {^{3}q^{3}}} + {\frac{6^{4}q^{3}}{2^{{2n} - 2} - {6^{3}q^{3}}}.}}$

It follows that:

${{Ad}(A)} \leq {\frac{4q^{2}}{2^{2n}} + {{Ad}\left( {t^{\prime},q} \right)} + {{Adv}_{\overset{\sim}{F}}^{sprp}\left( {t^{\prime},{2q}} \right)}} \leq {\frac{4q^{2}}{2^{2n}} + \left\lbrack {\frac{{q\left( { - 1} \right)}^{2}}{2^{n}} + {{Ad}\left( {t^{\prime},{\left( { - 1} \right)q},} \right)}} \right\rbrack + {\quad{\left\lbrack {\frac{4q^{2}}{2^{2n}} + \frac{4q^{2}}{2^{n}} + {{Ad}\left( {t^{\prime},{6q},} \right)}} \right\rbrack \leq {\frac{12q^{2}}{2^{2n}} + \frac{{q\left( { - 1} \right)}^{2}}{2^{n}} + \frac{6^{3}q^{3}}{2^{{2n} - 2} - {^{3}q^{3}}} + \frac{6^{4}q^{3}}{2^{{2n} - 2} - {6^{3}q^{3}}} + {2{{Adv}_{E}^{prp}\left( {t^{\prime},{\left( { - 1} \right)q}} \right)}} + {2{{{Adv}_{E}^{sprp}\left( {t^{\prime},{6q}} \right)}.}}}}}}$

Some of the constants in this bound are significant. However, TCT₂ nevertheless provides substantially better security bounds than TCT₁ and previous constructions.

Theorem 5—Beyond Birthday-Bound Security for Long Messages.

{tilde over (E)}: {0,1}^(k)×

×{0,1}^(n)→{0,1}^(n) is a TBC, and TCTR[{tilde over (E)}]_(K) and TCTR[{tilde over (E)}]_(K) ⁻¹ are defined as in section V.D, with g:

′×→

being an arbitrary injective mapping. A is a nonce-respecting adversary that runs in time t and asks q queries of total length at most μ=σn bits. Some adversary B makes at most σ queries and runs in time O(t), such that Ad

(A)≦Ad

(B). Using this variation of TCTR in the security proofs for TCT₁ and TCT₂ removes the q(l−1)² term from the bounds, thereby lifting message length concerns. If this change is made, g(T, i) is computed up to l times per invocation, rather than just once. This problem may be mitigated by using another TBC (as described in Rogaway, “Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC” (2004)) in place of LRW2, which makes incrementing the tweak extremely fast without significantly changing the security bound. When the above change are made, TCT₁ and TCT₂ offer efficient tweakable ciphers on an unbounded domain, losing security guarantees only after O(2^(n/2)) (resp., O(2^(2n/3))) bits have been enciphered.

Theorem 6 and Lemmas VILTC with Protected IV with Conventional Encryption.

Suppose

,

,

′, X′, integer N, TBC {tilde over (F)} and tweakable cipher {tilde over (V)} are as described in Theorem 1. A is an adversary making q<2^(N)/4 queries and running in time t. Adversaries B and C, making q and 2q queries, respectively, run in O(t) time, such that

${{Ad}(A)} \leq {\frac{5q^{2}}{2^{N}} + {{Ad}(B)} + {{Ad}(C)}}$

where B is nonce-respecting. A standard proof shows that the TBC in the pseudocode listings in section V.E is SRND$-secure, up to a birthday bound, if E is secure as a PRP.

Suppose E: {0,1}^(k)×{0,1}^(n)→{0,1}^(n) is a block cipher, and {tilde over (V)} and {tilde over (V)}⁻¹ are defined as in the pseudocode listings in section V.E. Lit A be an adversary running in time t, and asking q queries these totaling at most μ=σn bits. Then Ad

(A)≦σ²/2^(n)+Adv_(E) ^(prp)(B), where B asks at most a queries, and runs in time O(t).

Thus, one could compose counter-mode encryption with {tilde over (F)} based on LRW2 to build an efficient, birthday-bound-secure STPRP. One can view {tilde over (F)}_(K′)(T∥X[N+1 . . . ], X[1 . . . N)) as a special kind of PRE (one with invertibility properties), that takes input (T, X) and returns a “synthetic IV” for use in counter-mode. The second application of {tilde over (F)}_(K′) then serves to hide this synthetic IV in way that leaves it recoverable to those in possession of key K′.

The security of this counter-mode construction can be increased by “re-keying” the underlying block cipher, using a PRF ƒ: {0,1}^(k)×(0,1)^(n)→{0,1}^(k) to generate per-message keys, as shown in the construction of {tilde over (G)}, {tilde over (G)}⁻¹ in the pseudocode listings of section V.E. {tilde over (G)}_(K) (T, X) can be computed as (1) K←ƒ_(K)(T), (2) return {tilde over (F)} _(K) (T, X). Recalling that, for any function ƒ:

×S→S′, the pseudo-random function (PRF) advantage of adversary A against ƒ is defined to be Adv_(ƒ) ^(prf) (A)=Pr [K

:A^(ƒ) ^(K) ^((•))

1]−Pr[ρ

Func(S, S′): A^(ρ(•))

1], theorem 6 follows.

Theorem 6.

E:{0,1}^(k)×{0,1}^(n)→{0,1}^(n) is a block cipher, and {tilde over (V)} and {tilde over (V)}⁻¹ are as defined in the pseudocode listings of section V.E. ƒ: {0,1}^(k)×{0,1}^(n)→{0,1}^(k) is a function, and {tilde over (G)} and {tilde over (G)}⁻¹ are as defined in the pseudocode listings of section V.E. A is a nonce-respecting adversary that runs in time t, and asks q queries, each of length at most mn bits (so, μ≦qmn). Ad

(A)≦q(m²/2^(n)+Ad_(E) ^(prp)(B))+Adv_(ƒ) ^(prf) (C) where: (1) B asks at most m queries and runs in time O(t), and (2) C asks q queries and runs in time at most O(t).

If the maximum number of blocks in a message in is small, this re-keying approach has the potential to give beyond birthday-bound SRND-security against nonce-respecting adversaries. In the case of FDE, for example, Adv_(E) ^(prp)(t′, 32) appears to be very small when n=128, so security for q>>2⁶⁴ seems possible. This implementation uses a PRF ƒ that remains secure for any such q.

In any case, the construction of the VILTC {tilde over (G)} violates a core principle of the tweakable primitive abstraction, namely that tweak changes should be fast, and much faster than changing the key.

Theorem 7—Privacy for AEAD.

Ψ=Ψ[Encode_(H), EncodeMsg, {tilde over (E)}] as defined in the pseudocode listings in section VI.B. s is the maximal stretch of EncodeMsg, s′ is the maximal stretch of Encode_(H), and m is the length of the shortest M∈

satisfying Decode_(m)( H, M)≠Errors for some H∈

. A is an adversary making q queries totaling μ bits, and running in time t. If Encode_(H) is (d, δ_(H))-colliding and Encode_(M) is (2, δ_(m))-colliding for some δ_(M) that is increasing and convex on {0, 1 . . . , q}, there is an adversary B such that:

${{{Adv}_{\Psi}^{priv}(A)} \leq {{{Ad}(B)} + {\left( {{\delta_{M}\left( {d - 1} \right)} + \frac{\left( {d - 1} \right)\left( {d - 2} \right)}{2^{m + 1}}} \right)\left\lceil \frac{q}{d - 1} \right\rceil} + {\left( {{\delta_{M}(q)} + \frac{q\left( {q - 1} \right)}{2^{{m + 1}\;}}} \right){\delta_{H}(q)}}}},$

where B makes q queries of total length at most μ+q(s+s′) bits and runs in time O(t).

Theorem 8—Authenticity for AEAD.

Ψ[{tilde over (E)}]=Ψ[Encode_(H),EncodeMsg, {tilde over (E)}] as defined in the pseudocode listings of section VI.B. Let s is the stretch of EncodeMsg, s′ is the maximal stretch of Encode_(H), and m is the length of the shortest M∈

satisfying Decode_(M)( H, M)≠Errors for some H∈

. A is an adversary making q_(ε) (resp., q_(D)) queries totaling μ_(ε) (resp., μ_(D)) bits to its encryption (resp., decryption) oracle, and running in time t. If Encode_(M) is ∈-sparse and q_(ε)+q_(D)<2^(m−1), there is an adversary B such that Adv_(Ψ[{tilde over (E)}]) ^(int-ctxt)(A)≦Ad

(B)+2_(D)∈, where B makes q_(ε) forward-queries of total length (μ_(ε)+q_(ε)s) bits, q_(D) inverse-queries of total length (

+

s′) bits, and runs in O(t) time.

Consider the case that Encode_(H) is (2,0)-colliding. In this case, the privacy bound (Theorem 7) simplifies to Adv_(Ψ) ^(priv) (A)≦Ad

(B). This is intuitive, since if the tweak H never repeats, the outputs {tilde over (E)}_(K) ( H, M) are uniformly random strings for any valid encoding of (H, M) into M; Encode_(H)(H, M)=M suffices. Thus, good encodings of the header H can substantially reduce the burden placed upon encoding of (H, M) into M.

More generally, assume that the probability of Encode_(H) producing any H more than d times, for some small constant d<<q, is negligible. Then the final term in the bound can effectively be ignored. The second term is roughly qδ_(M)(d)+q/2^(m+1). Now, notice that δ_(M) is evaluated at d, not q, and so qδ_(M)(d) can be made negligible by encoding a reasonable amount of randomness into M (e.g. log(q) bits). For some natural choices of EncodeMsg then, q/2^(m+1) will be the dominating term, where m is the shortest length of M. But to achieve good authenticity bounds, m is unlikely to let q/2^(m+1) ruin the bound.

The presence of the tweak allows shifting of “extra” bits for randomness or state into the encoding of the header, which potentially reduces the number of bits that must be cryptographically processed.

Turning now to the authenticity bound (Theorem 8), note that if Encode_(M) inserts b redundant bits (so ∈≈2^(−b)) and q_(ε)+q_(D)<<2^(m), the second term of the authenticity bound is approximately q_(D)/2^(b)). Thus, if the tweakable cipher {tilde over (E)} has STPRP-security up to, for example, 2⁸⁰ queries (e.g., an appropriately instantiated PIV with N=256), then encoding the header with a nonce, and the message with 80 bits of redundancy, yields an AEAD scheme with roughly 80-bit privacy and authenticity guarantees, and one that can tolerate nonce-misuse.

The proof of Theorem 8 can be easily modified to show that the stated bound holds even if the adversary controls the coins and state of Encode_(M) and Encode_(H). Additionally, only decryption oracle queries are assumed to be not redundant—adversaries are not assumed to respect any nonces encoded into the headers or messages.

Proof of Theorem 7.

Π

BC(

,

) is a random cipher. Ψ[Π] is the AEAD scheme obtained by replacing {tilde over (E)}_(K) and {tilde over (E)}_(K) ⁻¹ with Π and Π⁻¹, respectively, everywhere in the algorithms of Ψ[Encode_(H), EncodeMsg, {tilde over (E)}]. ε_(Π) is the corresponding encryption algorithm. Pr[A^(ε) ^(K) ^((•,•))

1]−Pr[A^(ε) ^(Π) ^((•,•))

1]≦Ad

(B), for the standard adversary B that simulates ε_(K) or ε_(Π), depending on its own oracle. This leaves Adv_(Ψ) ^(Priv) (A)≦Ad

(B)+Pr[A^(ε) ^(Π) ^((•,•))

1]−Pr[K

; A^($) ^(K) ^((•,•))

1].

A sequence of three games in FIG. 10 helps illustrate the proof. In FIG. 10, boxed commands are included in Game 1 but omitted from Game 2, causing the ε_(Π) oracle to always return random strings. Game 3 bounds the probability that this change can be detected by an adversary (as measured by the probability that a “bad” value will be set).

s is the stretch of Encode_(M). Game 1 (in FIG. 10) implements ε_(Π) using lazy-sampling to define Π. In particular, on the i-th query (H_(i), M_(i)), Game 1 computes the encodings H _(i), M _(i) and then samples a potential value S_(i) to assign to Π( H _(i), Mi). This value will be valid so long as Π( H _(i), M _(i)) has not already been set, and as long as S_(i) has not been used with H _(i) before; otherwise, Game 1 sets bad₁ or bad₂, and then reassigns S_(i) an appropriate value.

Since Game 2 (in FIG. 10) is identical to Game 1 until bad₁ or bad₂ is set:

Pr[A ^(ε) ^(Π) ^((•,•))

1]=Pr[G1(A)

1]

=Pr[G1(A)

1

(bad₁

bad₂)]+Pr[G1(A)

1

(bad₁

bad₂)]

≦Pr[G2(A);bad₁

bad₂ ]+Pr[G2(A)

1

(bad₁

bad₂)],

where the final line uses an alternative formulation of the fundamental lemma of game-playing. In Game 2, the value of S_(i) is always uniformly random in {0,1}^(|M) ^(i) ^(|+s), and ε_(Π)'s outputs are independent of each M_(i). Consequently, assigning values to each M_(i) can be postponed until after A halts. This in turn allows postponing of checking to see if bad₁ or bad₂ should be set without altering the probability that they will be. Making both these changes yields Game 3 (in FIG. 10), so Pr[G2(A); bad₁

bad₂]=Pr[G3(A); bad₁

bad₂]. Thus:

Pr[G2(A)

1

(bad₁

bad₂)]=Pr[G3(A)

1

(bad₁

bad₂)]

≦Pr[G3(A)

1]=Pr[K

;A ^($) ^(K) ^((•,•))

1],

where the final equality follows from the fact that in Game 3, each S_(i) is sampled independently and uniformly at random from the set of appropriately sized strings. To recap, at this point:

Adv_(Ψ) ^(priv)(A)≦Adv_({tilde over (E)}) ^(prp)(B)+Pr[G3(A);bad₁

bad₂].

To establish an upper bound for Pr[G3(A); bad₁ V bad₂], suppose that A has just generated its output after running in Game 3. To bound the probability that bad₁ gets set, N=: |{ H _(i): i≦q}| is the number of distinct tweak encodings generated during the course of the game. R₁, R₂, . . . , R_(N) ⊂{1, 2, . . . , q} are equivalence classes characterized by the property that i and j are in the same class if and only if H_(i)=H_(j). The probability that bad₁ will be set is at most Σ_(k) δ_(M)(|R_(k)|). The upper bound is obtained by summing the values of the increasing convex function δ_(M) at the points |R₁|, |R₂|, . . . , |R_(N)| where |R₁|+|R₂|+ . . . +|R_(N)|=q. Consequently, the bound is largest (for fixed q) when N=1 and R₁={1,2, . . . , q}. But suppose that each |R_(k)|<d, an event denoted as Capped. In this case, Pr[G3(A);

Capped]≦δ_(H)(q). Given that Capped occurs, Σ_(k) δ_(M) (|R_(k)|) is largest when N=┌q/(d−1)┐ and |R_(k)|=d−1 for k=1, 2, . . . , N−1. This yields:

${\Pr \left\lbrack {{G\; 3(A)};{bad}_{1}} \right\rbrack} \leq {{\Pr \left\lbrack {{G\; 3(A)};\left. {bad}_{1} \middle| {Capped} \right.} \right\rbrack} + {{\Pr \left\lbrack {{G\; 3(A)};{{bad}_{1}{Capped}}} \right\rbrack}{\Pr \left\lbrack {{G\; 3(A)};{{Capped}}} \right\rbrack}}} \leq {{{\delta_{M}\left( {d - 1} \right)}\left\lceil \frac{q}{d - 1} \right\rceil} + {{\delta_{M}(q)}{{\delta_{H}(q)}.}}}$

Similarly:

${{\Pr \left\lbrack {{G\; 3(A)};{bad}_{2}} \right\rbrack} \leq {{\Pr \left\lbrack {{G\; 3(A)};\left. {bad}_{2} \middle| {Capped} \right.} \right\rbrack} + {{\Pr \left\lbrack {{G\; 3(A)};{{bad}_{2}{Capped}}} \right\rbrack}{\Pr \left\lbrack {{G\; 3(A)};{{Capped}}} \right\rbrack}}} \leq {{\frac{\left( {d - 1} \right)\left( {d - 2} \right)}{2^{m + 1}}\left\lceil \frac{q}{d - 1} \right\rceil} + {\frac{q\left( {q - 1} \right)}{2^{m + 1}}{\delta_{H}(q)}}}},$

since the standard i

i(i−1)/2^(m+1) birthday bound (for the probability of a collision among i independent random variables sampled uniformly from {0,1}^(m)) meets the criterion of an increasing convex function.

Proof of Theorem 8.

Let B be the STPRP adversary that simulates the INT-CTXT experiment for A and outputs 1 if A would set Forges to true. Then Adv_(Ψ) ^(int-ctxt) (A)≦Ad

(B)+Adv_(Ψ[Π]) ^(int-ctxt)(A) where Ψ[Π] is the scheme obtained by replacing {tilde over (E)}_(K) and {tilde over (E)}_(K) ⁻¹ with Π and Π⁻¹, respectively, everywhere in the algorithms of Ψ, and Adv_(Ψ|Π|) ^(int-ctxt) (A) is defined in the natural way (with probabilities over the random choice of Π, rather than K).

Game 4 (FIG. 11) simulates the IND-CTXT experiment for Sε[Π]. By defining Π through lazy sampling, Adv_(Ψ[Π]) ^(int-ctxt)(A)=Pr[G4(A); Forges]. In the code for the D_(Π) oracle, it need not check if Π⁻¹( H, Y) has already been defined; this possibility is excluded by the fact that A does not repeat queries to D_(Π), and does not send D_(Π) a value previously returned by ε_(Π) (while preserving the header). For some query to D_(Π). The probability that A forges on this query is equal to the probability that the corresponding, randomly chosen value of

is a valid encoding. There are at most 2^(|Y|)∈ valid encodings of the correct length, and

is sampled from a set of size at least 2^(|Y|)−(q_(ε)+q_(D)). Consequently, A forges on this query with probability at most 2^(|Y|)∈/(2^(|Y|)−(q_(ε)+q_(D)))<2^(m) ∈/(2^(m)−2^(m−1))=2∈. A union bound completes the proof.

In view of the many possible embodiments to which the principles of the disclosed invention may be applied, it should be recognized that the illustrated embodiments are only preferred examples of the invention and should not be taken as limiting the scope of the invention. Rather, the scope of the invention is defined by the following claims. We therefore claim as our invention all that comes within the scope and spirit of these claims. 

We claim:
 1. A computer-implemented system for encryption and/or decryption comprising: a first fixed-input-length tweakable block cipher (“FIL TBC”) adapted to produce a fixed-length initialization vector; a variable-input-length tweakable cipher (“VILTC”) adapted to produce a variable-length output string using the fixed-length initialization vector as a tweak; and a second FIL TBC adapted to produce a fixed-length output string.
 2. The system of claim 1 wherein the first FIL TBC is provided through a first call to a given FIL TBC component, and wherein the second FIL TBC is provided through a second call to the given FIL TBC component.
 3. The system of claim 2 wherein, in the first call, the given FIL TBC component accepts a fixed-length input string, as first input for the given FIL TBC component, and a combination of a tweak and a variable-length input string, as first tweak for the given FIL TBC component, and wherein, in the second call, the given FIL TBC component accepts the fixed-length initialization vector, as second input for the given FIL TBC component, and a combination of the tweak and the variable-length output string, as second tweak for the given FIL TBC component.
 4. The system of claim 1 wherein the first and second FIL TBCs are provided through different FIL TBC components.
 5. The system of claim 1 wherein the first FIL TBC and the second FIL TBC protect the fixed-length initialization vector from exposure outside the system.
 6. The system of claim 1 wherein the system accepts, as a tweak for the system, a value based on an environmental feature of the system.
 7. The system of claim 1 wherein the first FIL TBC, the second FIL TBC, and the VILTC are implemented using special-purpose hardware.
 8. The system of claim 1 wherein the first FIL TBC, the second FIL TBC, and the VILTC are implemented using software that executes on general-purpose hardware.
 9. The system of claim 1 wherein the fixed-length initialization vector is an N-character initialization vector and the fixed-length output string is an N-character output string, and wherein: the first FIL TBC is a first N-character TBC adapted to produce the N-character initialization vector; the VILTC is adapted to produce the variable-length output string using the N-character initialization vector as a tweak; and the second FIL TBC is a second N-character TBC adapted to produce the N-character output string.
 10. The system of claim 9 further comprising: a first buffer for storing an N-character input string and a variable-length input string; and a second buffer for storing the N-character output string and the variable-length output string.
 11. The system of claim 10 wherein characters of the N-character input string, the variable-length input string, the N-character output string, and the variable-length output string are selected from a pre-determined, finite set of symbols.
 12. The system of claim 9 wherein the first N-character TBC, the VILTC and the second N-character TBC are constructed from randomly generated permutation look-up tables.
 13. The system of claim 9 wherein: the first N-character TBC is adapted to produce the N-character initialization vector using an N-character input string, as input for the first N-character TBC, and a combination of a tweak for the system and a variable-length input string, as tweak for the first N-character TBC; the VILTC is adapted to produce the variable-length output string using the N-bit initialization vector, as tweak for the VILTC, and the variable-length input string, as input for the VILTC; and the second N-character TBC is adapted to produce the N-character output string using the N-character initialization vector, as input for the second N-character TBC, and a combination of the tweak for the system and the variable-length output string, as tweak for the second N-character TBC.
 14. The system of claim 1 wherein the fixed-length initialization vector is an N-bit initialization vector and the fixed-length output string is an N-bit output string, and wherein: the first FIL TBC is a first N-bit tweakable block cipher (“TBC”) adapted to produce the N-bit initialization vector; the VILTC is adapted to produce the variable-length output string using the N-bit initialization vector as a tweak; and the second FIL TBC is a second N-bit TBC adapted to produce the N-bit output string.
 15. The system of claim 14 further comprising: a first buffer for storing an N-bit input string and a variable-length input string; and a second buffer for storing the N-bit output string and the variable-length output string.
 16. The system of claim 14 wherein: the first N-bit TBC is adapted to produce the N-bit initialization vector using an N-bit input string, as input for the first N-bit TBC, and a combination of a tweak for the system and a variable-length input string, as tweak for the first N-bit TBC; the VILTC is adapted to produce the variable-length output string using the N-bit initialization vector, as tweak for the VILTC, and the variable-length input string, as input for the VILTC; and the second N-bit TBC is adapted to produce the N-bit output string using the N-bit initialization vector, as input for the second N-bit TBC, and a combination of the tweak for the system and the variable-length output string, as tweak for the second N-bit TBC.
 17. The system of claim 14 further comprising: a controller adapted to adjust N to trade off security and implementation efficiency, wherein a smaller value of N provides worse security but simplifies efficient implementation subject to security constraints, and wherein a larger value of N provides better security but complicates efficient implementation subject to the security constraints.
 18. The system of claim 14 wherein the first N-bit TBC and the second N-bit TBC have identical structure.
 19. The system of claim 14 wherein: at least one of the first N-bit TBC and the second N-bit TBC is an LRW2 TBC construction; and the VILTC is an iterated LRW2 TBC construction.
 20. The system of claim 19 wherein the LRW2 TBC is adapted to produce an n-bit LRW2 output string by computing an exclusive-OR between (1) an encrypted version of an exclusive-OR between (a) an n-bit LRW2 input string and (b) an n-bit hash of a tweak input, and (2) the n-bit hash of the tweak input.
 21. The system of claim 14 wherein: at least one of the first N-bit TBC and the second N-bit TBC is a domain-extended CLRW2 construction; and the VILTC is an iterated CLRW2 construction.
 22. The system of claim 14 wherein N is
 128. 23. The system of claim 14 wherein N is
 256. 24. A computer-implemented method comprising: processing a fixed-length input string and a variable-length input string to produce a fixed-length output string and a variable-length output string, including: producing a fixed-length initialization vector; producing the variable-length output string with a variable-input-length tweakable cipher (“VILTC”) using the fixed-length initialization vector as a tweak; and obscuring the fixed-length initialization vector; and outputting the fixed-length output string and the variable-length output string.
 25. The method of claim 24 wherein the processing further comprises: setting a system-level tweak based on an environmental feature.
 26. The method of claim 24 wherein the fixed-length input string is an N-character input string, the fixed-length output string is an N-character output string, and the fixed-length initialization vector is an N-character initialization vector.
 27. The method of claim 26 wherein the N-character initialization vector is: produced with a first N-character TBC; and obscured by a second N-character TBC that produces the N-character output string.
 28. The method of claim 26 wherein the processing is part of format-preserving encryption, wherein the N-character input string and the variable-length input string are plaintext, and the N-character output string and the variable-length output string are ciphertext.
 29. The method of claim 26 wherein the processing is part of format-preserving decryption, wherein the N-character input string and the variable-length input string are ciphertext, and the N-character output string and the variable-length output string are plaintext.
 30. The method of claim 24 wherein the fixed-length input string is an N-bit input string, the fixed-length output string is an N-bit output string, and the fixed-length initialization vector is an N-bit initialization vector.
 31. The method of claim 30 wherein the N-bit initialization vector is: produced with a first N-bit tweakable block cipher (“TBC”); and obscured by a second N-bit TBC that produces the N-bit output string
 32. The method of claim 30 wherein: the producing the N-bit initialization vector with the first N-bit TBC is based on the N-bit input string, as input for the first N-bit TBC, and a combination of a tweak for the system and the variable-length input string, as tweak for the first N-bit TBC; the producing the variable-length output string with the VILTC is based on the N-bit initialization vector, as tweak for the VILTC, and the variable-length input string, as input for the VILTC; and the producing the N-bit output string with the second N-bit TBC is based on the N-bit initialization vector, as input for the second N-bit TBC, and a combination of the tweak for the system and the variable-length output string, as tweak for the second N-bit TBC.
 33. The method of claim 30 wherein the processing is part of full-disk encryption, wherein the N-bit input string and the variable-length input string are plaintext, and the N-bit output string and the variable-length output string are ciphertext.
 34. The method of claim 30 wherein the processing is part of full-disk decryption, wherein the N-bit input string and the variable-length input string are ciphertext, and the N-bit output string and the variable-length output string are plaintext.
 35. The method of claim 30 wherein the processing is part of authenticated encryption with associated data, wherein the N-bit input string and the variable-length input string are plaintext, and the N-bit output string and the variable-length output string are ciphertext.
 36. The method of claim 30 wherein the processing is part of authenticated decryption with associated data, wherein the N-bit input string and the variable-length input string are ciphertext, and the N-bit output string and the variable-length output string are plaintext.
 37. The method of claim 30 further comprising: adjusting N to trade off security and implementation efficiency, wherein a smaller value of N provides worse security but simplifies efficient implementation subject to security constraints, and wherein a larger value of N provides better security but complicates efficient implementation subject to the security constraints.
 38. A computer-implemented system for encryption and/or decryption comprising: a first buffer for storing an N-bit input string and a variable-length input string; a first N-bit tweakable block cipher (“TBC”) adapted to produce an N-bit initialization vector using the N-bit input string, as input for the first N-bit TBC, and a combination of a tweak for the system and the variable-length input string, as tweak for the first N-bit TBC; a variable-input-length tweakable cipher (“VILTC”) adapted to produce a variable-length output string using the N-bit initialization vector, as tweak for the VILTC, and the variable-length input string, as input for the VILTC; a second N-bit TBC adapted to produce an N-bit output string using the N-bit initialization vector, as input for the second N-bit TBC, and a combination of the tweak for the system and the variable-length output string, as tweak for the second N-bit TBC; and a second buffer for storing the N-bit output string and the variable-length output string.
 39. The system of claim 38 wherein the tweak for the system is a value based on an environmental feature of the system.
 40. The system of claim 38 further comprising: a controller adapted to adjust N to trade off security and implementation efficiency, wherein a smaller value of N provides worse security but simplifies efficient implementation subject to security constraints, and wherein a larger value of N provides better security but complicates efficient implementation subject to the security constraints.
 41. A computer-implemented method comprising: receiving a header and a message; processing the message using a variable-input-length tweakable cipher (“VILTC”) to provide authenticated encryption with associated data, wherein a tweak for the VILTC is based at least in part on the header, and wherein the processing produces an encrypted message; and outputting the header and the encrypted message.
 42. The method of claim 41 wherein the processing the message includes: determining a modified header using the header and reconstruction information; determining a modified message using the message and the modified header; and encrypting the modified message using the VILTC with the modified header as the tweak for the VILTC.
 43. The method of claim 42 further comprising: outputting the reconstruction information.
 44. A computer-implemented method comprising: receiving a header and an encrypted message; processing the encrypted message using a variable-input-length tweakable cipher (“VILTC”) to provide authenticated decryption with associated data, wherein a tweak for the VILTC is based at least in part on the header, and wherein the processing produces a message; and outputting the message.
 45. The method of claim 44 further comprising: receiving reconstruction information.
 46. The method of claim 45 wherein the processing the encrypted message includes: determining a modified header using the header and the reconstruction information; decrypting the encrypted message using the VILTC with the modified header as the tweak for the VILTC, thereby producing a modified message; and determining the message using the modified message and the modified header. 